A newly discovered WhatsApp scam has begun circulating on messaging platforms, exploiting the popular device linking feature to seize full control of user accounts.
The attack unfolds when recipients receive what appears to be a harmless message from a known contact, typically stating “Hi, I accidentally found your photo!” accompanied by a shortened URL.
Once clicked, the URL redirects victims to a counterfeit Facebook login portal, meticulously designed to mirror the legitimate interface and harvest credentials.
Early reports indicate the scam first emerged in Central Europe before rapidly spreading across multiple regions, leveraging social engineering techniques to appear authentic.
Upon entering their Facebook credentials on the fake page, victims unwittingly grant attackers access to the WhatsApp linking mechanism.
The malware then chains into WhatsApp’s desktop and web sessions by generating a valid QR code link using the compromised account’s session tokens.
Within minutes, malicious actors can view and export conversation histories, media files, and contact lists. Financial fraud, identity theft, and further targeted attacks are potential downstream consequences once control is fully established.
.webp "New WhatsApp Scam Alert Tricks Users to Get Complete Access to Your WhatsApp Chats 3")
Gen Threat Labs analysts identified the malware after correlating unusual authentication requests with reports of unauthorized linkages to WhatsApp Business accounts.
Their research revealed that the scam’s backend infrastructure uses stealthy server clusters to relay session tokens, evading detection by conventional network monitoring tools.
The threat actors also employ ephemeral subdomains, rotating nearly hourly to frustrate takedown efforts and to avoid IP-based blacklisting.
In addition to credential harvesting and session hijacking, the scam incorporates subtle persistence features.
A lightweight JavaScript payload injected into the fake page entices unsuspecting users to install a browser extension purportedly to “enhance privacy.”
In reality, this extension runs in the background, refreshing stolen session tokens and occasionally prompting users to reauthenticate, thereby maintaining continuous access.
Should users attempt to revoke permissions on Facebook, the malicious script intercepts the revocation flow and prompts a misleading error message, further trapping victims in a loop.
Infection Mechanism
The infection mechanism hinges on a classic credential phishing strategy augmented by session token reuse. Once a user submits login details on the spoofed page, the server-side component immediately spins up a headless WhatsApp Web session using Puppeteer automation.
This headless session generates a valid QR code that is forwarded to the attacker’s console, effectively linking the victim’s mobile account to the attacker’s instance without any notification to the user.
To maximize stealth, the attackers throttle the automation scripts to mimic human-like browsing patterns, complete with randomized mouse movements and typing delays.
This approach bypasses heuristics that flag rapid, repetitive login attempts, allowing the threat actors to remain under the radar while extracting valuable conversational data.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
