Recently, there was a new trend of phishing campaigns targeting instant messaging accounts, such as WhatsApp, in Hong Kong.
Hackers had been creating counterfeit login webpages for an instant messaging platform, then advertising the page in search engines to position at higher search engine results for luring the targeted users to enter and scan the QR code shown on the phishing site. If the user had carelessly scanned the QR code on the webpage, the hacker could access the user’s account and contact and scam their families and friends through impersonation.
Below is an image depicting the phishing site, which closely resembles the WhatsApp web version. The site includes a QR code for logging in and provides users with accompanying instructions to follow.
Despite the QR code being a legitimate WhatsApp login code, it was replayed from the hacker’s device. Once a user scanned the code, the hacker could gain authorised access to the user’s instant messaging account, but not the user’s device. The hacker could then retrieve extensive information and data, including photos, videos, documents, chat records, and contact book details.
With this access, the hacker could assume the identity of the logged-in user and send malicious messages to the families and friends, such as requesting fund transfers or purchases of “point cards”. To further deceive the victim, the hacker would conceal these malicious messages within the archive folder to avoid detection.
The Hong Kong Computer Emergency Response Coordination Centre (HKCERT) urges local users to stay vigilant against the mentioned phishing attack and reminds the public to verify the URLs of instant messaging platforms before attempting to log in. Moreover, mobile device users should not click any links from untrusted sources such as advertisements from search engines.
In addition, instant messaging users should check their accounts periodically for unknown devices being linked to their accounts and monitor the archive folders in the instant messaging platforms regularly for malicious records. If there are any financial requests from families and friends through instant messaging, such requests shall be verified over the phone or in person.
Tip 1: Regularly check the list via “Setting” -> “Linked devices”. Log out of all unknown devices (if any) immediately.
Tip 2: Monitor the “archived” folders in the instant messaging platform for any malicious records.
For more information about preventive measures for phishing campaigns targeting instant messaging accounts, read more here.
Enterprises or members of the public in Hong Kong who wish to report to HKCERT about information security-related incidents such as malware, phishing, denial of service attacks, and others can do so by completing this online form or calling the 24-hour hotline at +852 8105 6060. For further enquiries, please contact HKCERT at [email protected].