Truth about WhatsApp hacking in South Africa

While WhatsApp promises end-to-end encryption for all communications over the platform, attackers can still trick users into giving them the information needed to hijack their accounts.

WhatsApp’s security and privacy are in the spotlight after Iranian state television advised citizens to uninstall the app from their devices, alleging that its owner, Meta Platforms, shares user data with Israel.

Iran’s report did not offer evidence for its claim, and WhatsApp denied the allegation that it shares people’s data with any government.

WhatsApp said it was “concerned these false reports will be an excuse for our services to be blocked at a time when people need them the most.”

End-to-end encryption promises completely private communications, with even a platform provider like WhatsApp unable to read messages or hear conversations.

“We do not track your precise location, we don’t keep logs of who everyone is messaging, and we do not track the personal messages people are sending one another,” stated WhatsApp.

“We do not provide bulk information to any government.”

It should be noted that although WhatsApp claims to provide end-to-end encryption, it is impossible to verify as its software remains closed source.

However, WhatsApp’s encryption was developed and integrated by renowned hacker Moxie Marlinspike and his team at the former Open Whisper Systems.

WhatsApp uses Signal Protocol, the same system as the open-source messaging app Signal. Signal is developed by the Signal Technology Foundation, the successor to Open Whisper Systems.

The partnership between Open Whisper Systems and WhatsApp began in 2014, and Marlinspike announced that they had completed the integration in 2016.

While it is possible that Meta Platforms weakened the encryption system Marlinspike and his team had integrated into WhatsApp since then, there is no evidence to support that.

Full encryption does not mean hack-proof

Using end-to-end encryption only means that conversations over a communications channel are private. It does not mean unhackable.

Like any digital platform, instant messaging services are susceptible to various forms of phishing attacks. These attacks attempt to trick users into allowing cybercriminals to log into their accounts.

WhatsApp is not alone in this respect — users on other popular platforms like Telegram and Signal could be tricked in similar ways.

There is a common misconception that Telegram is somehow more secure than WhatsApp, but this is inaccurate in all respects.

Not only does Telegram not default to end-to-end encryption, instead storing people’s messages on its servers, but MyBroadband witnessed dozens of people getting their Telegram accounts hijacked this month.

In one incident, an attacker took control of a victim’s Telegram account and added all of their contacts to a group called “Investec Stock Tradings”.

The group administrator also pretends to be Cumesh Moodliar, the CEO of Investec South Africa.

This group appears to be an ordinary advance-fee investing or recruitment scam, promising users a tenfold return on investments of between R5,500 and R30,000.

Telegram and WhatsApp account hijacks are typically perpetrated by the attacker trying to convince a user to forward them the one-time PIN (OTP) needed to log into the account.

While it sounds simple enough to tell people not to forward such OTPs to anyone, these phishing attacks are often persuasive.

Even tech-savvy users have reported being caught at precisely the wrong time and getting tricked into forwarding an SMS containing an OTP without initially realising what was in the message.

In addition to phishing, more advanced attacks could involve techniques like SIM swap fraud.

Many platforms offer two-factor authentication (2FA) to mitigate account hijacks from attacks like these. This allows you to set a secondary password or code, without which users can’t log in.

Double-edged swords

However, even features like 2FA that are meant to keep users safe have drawbacks, and attackers have weaponised them to try and extract more value from compromised accounts.

In a November 2023 incident, a South African doctor was tricked into forwarding a WhatsApp OTP SMS when an attacker impersonated one of his contacts and convinced him it was a Zoom link code.

After taking over the doctor’s WhatsApp account, the attacker sent messages to his contacts saying he was in an emergency without access to his bank account and needed them to send him cash via e-wallet.

The doctor had not previously enabled 2FA, which left the door open for the attacker to do so, preventing the victim from recovering his account.

Even though the doctor had control of the cellphone number linked to the account, WhatsApp had a 7-day cooling-off period for resetting or disabling 2FA.

Despite attempts to contact Meta Platforms for assistance, the attacker maintained control of the doctor’s WhatsApp account for the full week.