WhatsApp OTP Scam: Official URLs in Use to Steal Accounts, Identity and Cause Financial Fraud
19-January-2021

WhatsApp has a major security issue of having open URLs, which appear to show a prompt suggesting that an OTP (one-time password) has been delivered to a user. The URLs are available easily on the open internet, and to make matters worse, can be modified by any user to show any six-digit OTP that they wish to show on screen. This is one key technique that is reportedly being used by scammers in India, who target unsuspecting individuals and use this link to convince them that the call is indeed being made on behalf of WhatsApp. After gaining confidence, scammers then proceed to extract the actual login OTP to take over access of private WhatsApp accounts.

Once access is taken over, the user who originally owns the account loses control over it. Scammers can then use this access to spread spam to a user�s contacts, and also distribute malware or spyware to contacts who would trust the victim user as a regular contact and download files shared by them. Scammers can also access WhatsApp Banking chat windows and extract sensitive information from there, and cause identity theft that can lead to further financial scams, blackmail efforts and many other nefarious activities. These WhatsApp OTP URLs are easy to modify, and even to users who are relatively savvy, can come across as quite convincing.

Speaking to News18, Rajshekhar Rajaharia, an independent cyber security researcher, claimed that this is a very common technique that is employed by scammers in notoriously infamous cyber crime and online fraud circles of India, such as Jharkhand�s Jamtara or Bharatpur�s Mewat. �Online thugs from these circles use this URL and use terms like �policy update� to dupe users, and then demand the real OTP to hack WhatsApp accounts,� affirms Rajaharia. He also highlights that the real security risk from scams arising out of these links is that not enough people are aware of, or are taking the effort to avail the two-factor authentication process that WhatsApp offers.

�WhatsApp is only focusing on their mobile app right now, but they should also closely monitor their website as well. Using a small mistake (such as these URLs) of one of the world�s biggest tech companies, thugs can hack WhatsApp accounts using extrapolated tricks, and can later misuse hacked accounts in many ways,� adds Rajaharia. While News18 could not independently confirm exactly what scale of damages might these URLs have caused already, we can confirm that the said URLs affect both personal and business accounts, and are very much operational at the time of publishing the story.

In essence, this leaves practically any of WhatsApp�s over 2 billion global users, and close to 400 million Indian users, at risk of being scammed with a link that ironically originates within WhatsApp�s own official links. Unlike scam links that often have giveaways hidden in the web addresses, the said URLs are actually official WhatsApp links, complete with �https� verification that also confirms the security status of these URLs.

News18 has reached out to a WhatsApp spokesperson on the reason behind these URLs being available on the open web, and the exact utility that they serve. Answers on the aforementioned questions, as well as whether WhatsApp has been aware of the misuse of these official links, are yet to be answered. The story will be updated as and when the company issues a response.