Daniel Trejo had no idea that his WhatsApp account had been hijacked until he received a call from his mother. “He asked me if they were going to seize me, that he had received a message from my number asking for money,” he says. Trejo was the victim of the hijacking of his account known as SIM swapping, that is, when the phone number is cloned and used to usurp the identity of the owner, steal passwords and empty bank accounts. To perform this cloning, criminals make use of a mechanism that is obtained in the dark web (or dark web) for about $ 200, or through the help of corrupt phone company employees who leave the user without service.
Dmitry Bestuzhev, director of the Research and analysis team for Latin America at the cybersecurity firm Kaspersky, indicates in an interview that in the last twelve months a growth of 120% has been identified in the theft of accounts, as well as the distribution of phishing Y ransomware through automatic messaging applications, the most popular being WhatsApp. “It’s all about social engineering. It is enough for a criminal to know our telephone number for the impersonation and extortion to start ”, says the expert.
For him SIM swapping only the phone number is needed and the user stops having coverage for a few minutes, enough for the attacker to take control of the messages that the user would originally receive and the files they have shared on that network. “Many people share very sensitive information, and in a short period of time the victim has lost control of their accounts,” says Bestuzhev.
In just a few minutes, Daniel Trejo was the victim of several crimes: identity theft, attempted extortion of his contacts and also the extraction of 2,000 pesos (about 100 dollars) from his bank account. “Fortunately, none of my contacts made the deposit they asked for, inventing that I was asking for them because they were going to seize me,” he details.
Of the 84.1 million internet users in the country, 75% use WhatsApp to communicate with family and friends, according to the Federal Telecommunications Institute (IFT) in Mexico, but less than 20% of them have gone through the two-step verification process to prevent account misuse. The verification method that Meta’s proprietary application offers is very simple: you have to go to the settings and create a six-digit password. “Criminals can obtain this code, but once they have been attacked, there is no possibility of doing anything,” says the Kaspersky expert.
Another method that cybercriminals have is the use of voice bots that make calls with which they can have control of the account. Through social engineering, attackers can make a fake call from the companies that follow the user and thus trick the user into obtaining the password with which they later take control of their accounts. “Even relatives of security professionals have been victims of this crime,” he details.
The keys to maintaining security on WhatsApp
The first key that Bestuzhev recommends is to carry out the two-step verification process and create a solid password that is not easy to predict, like the classic 123456. Additionally, the specialized portal WABetaInfo has required some privacy measures to prevent strangers from having access to the data.
First, establish a robust security configuration, avoiding showing the last connection times, hidden profile image for numbers that are not registered on the phone. Also, if the user is enrolled in several groups with many users, it is best to establish a privacy setting that keeps the most sensitive information hidden.
User behavior is important, as database leakage is frequent. In April 2021 alone, Facebook suffered the theft of the data of 533 million people, including their phone number, the first step in being the victim of an account hijacking or identity theft.
A golden rule also for WhatsApp groups is to avoid entering links, especially when it comes to news that may be extraordinary, since it could be a malicious link. Also, avoiding sending account numbers, bank statements and other sensitive information by this means is the most important thing. “You have to know that WhatsApp is not a secure platform, although many think so, it is best not to share sensitive information,” concludes Bestuzhev.
Subscribe here to the newsletter from EL PAÍS México and receive all the informative keys of the current situation of this country
Eddie is an Australian news reporter with over 9 years in the industry and has published on Forbes and tech crunch.