WhatsApp accounts hacked through fake voting scam

A new phishing campaign has been detected by Kaspersky, targeting WhatsApp users through a fraudulent online poll. Attackers lure victims with a seemingly legitimate voting page, often presented as a contest showcasing new athletes, though other themes are also used. The method is easily adaptable to different scenarios, with the ultimate goal of hijacking WhatsApp accounts.

The scam begins when users are directed to what looks like a valid competition website. The page may display photos of athletes, each accompanied by a “Vote” button and a real-time counter showing supposed total results and participant numbers. These elements create a false sense of legitimacy, encouraging users to interact. The site also claims that anyone can join the competition after a quick “authorization” process, with winners allegedly receiving prizes from “sponsors.”

By clicking either “Vote” or “Authorize,” users are redirected to a fake page prompting them to “quickly and easily” authorize through WhatsApp. They are then asked to enter the mobile number linked to their WhatsApp account. The attackers exploit WhatsApp Web’s login feature, which generates a one-time six-digit code. When the victim enters their number, the system produces this code and displays it on the malicious site. Once the user types this code into the app on their phone, the attackers’ web session is activated. This grants them the ability to monitor the victim’s messages, send new ones, and ultimately seize control of the account.

“We’re seeing that online voting competitions are very popular right now, and attackers are exploiting the trust in what appears to be a harmless activity. By combining social engineering with convincing fake environments, they are turning user participation into a weapon to steal sensitive data. Awareness and vigilance are crucial to staying safe,” explained Tatyana Shcherbakova, Web Content Analyst at Kaspersky.

To protect yourself from such account takeover scams, Kaspersky recommends the following measures:

• Enable two-step verification: Use WhatsApp’s two-step verification to add an extra layer of protection, requiring a PIN to access your account.
• Verify website authenticity: Never enter personal information on unfamiliar websites, especially those accessed via unsolicited links. Always check the validity of the URL.
• Never share verification codes: WhatsApp will never ask you for your verification code. Do not share it with anyone, even if the request seems to come from a trusted source.
• Use reliable security software: Install trusted security solutions to detect and block malicious websites and links.