Image Main

CTM360 has identified a rapidly expanding WhatsApp account hacking campaign, internally called HackOnChat. This campaign uses a network of deceptive authentication portals and phishing pages to target users around the world.

Attackers exploit WhatsApp’s familiar web interface and employ social engineering tactics to trick users into compromising their accounts. CTM360’s research revealed thousands of malicious URLs hosted on low-cost domains and generated quickly by modern website building platforms, allowing attackers to deploy new pages at scale. A notable increase in incidents has been observed in recent weeks, especially in the Middle East and Asia.

HackOnChat Hacking Techniques

The HackOnChat campaign is based on two main exploitation techniques:

  • Session Hijacking: Threat actors abuse the “linked device” functionality to hijack active WhatsApp Web sessions.
  • Account Takeover: Attackers trick victims into handing over authentication keys, giving them full control over their accounts.

To carry out these attacks, cybercriminals send links through:

  • Fake security alert templates.
  • Portals that imitate the appearance of WhatsApp Web.
  • Fake group invitation messages.

These phishing sites are optimized for global reach, offering multilingual support and a country code selector that adapts the interface for users from different regions.

Consequences of Compromised Account

Once scammers gain control of a WhatsApp account, they exploit it to:

  • Scam contacts: They request money or sensitive information from the victim’s contacts, posing as a trusted source.
  • Theft of personal data: They review messages, multimedia files and documents to steal personal, financial or private data that can be used for fraud, identity theft or extortion.
  • Attack Propagation: The compromised account is used to send phishing messages to the victim’s contacts, creating a chain of attacks that spread the scam.

HackOnChat highlights that social engineering remains one of the most scalable attack vectors today, especially when attackers exploit trusted interfaces and users’ familiarity with them.

References