/ 27 September 2019

When you’re hacked on WhatsApp

Hack attack: In May this year WhatsApp was hacked
Hack attack: In May this year WhatsApp was hacked, leaving users vulnerable to being targeted by scammers. (Phil Noble/Reuters)



Sisyphus had it easy compared to police officers who are tasked with investigating who might have compromised your WhatsApp account. The mythical Greek was condemned to eternally rolling a boulder up a hill, only to watch it roll back down again. But he never had to carry out a formal inquiry into a cyberattack.

This is something I discovered earlier this month at the Brooklyn police station in Tshwane, where I went to open a criminal case against an unknown person who had hacked my WhatsApp account.

“Sorry sesi, you say your WhatsApp has been stolen?” was the first question asked by the confused officer taking my statement. This was followed by numerous other questions from officers at the police station who had to decide exactly what crime had been committed.

My Sisyphus-like saga started when a friend alerted me on Instagram that she had received a suspicious text from my WhatsApp account that read: “Pls brw m money i will gv u tommorow. Pls i need it now i will coll u wen i’m free cos i cnt tlk wit a cell phn now. Pls col dis guy he will tell u ma problem. Constable mabhena. Pls coll him now.”

This was followed by numerous other texts and phone calls from family and friends who had received similar messages from my account. One friend, deeply concerned, phoned the number “Mabhena” provided and was told I had requested that he get R3  000 for bail on my behalf because I could not come to the phone. He provided details of an FNB ewallet into which she could transfer the money, which she duly did.

What to do next was the question I had to grapple with. I started by contacting my service provider telephonically to conduct a SIM swop in an attempt to block the number to prevent any more messages from being sent. That failed.

I was told by the provider’s call centre agent that even if I were to replace my SIM card, it would not help in this case because WhatsApp is a third-party application.

What came next was a long four hours spent trying to contact WhatsApp by email with a request to delete my account forever. I received automated replies acknow-ledging my request but these were of no use to me at the time.

I then uninstalled and reinstalled the app on my device, hoping that another verification code would be sent. But then the app opened a countdown to when the next verification code would arrive — in two hours. I was able to retrieve the account only eight hours after I was alerted to the issue, when WhatsApp finally sent a verification code.

But how was I hacked? The hijacking of my phone followed the hack of Facebook-owned WhatsApp in May, when sophisticated spyware was installed on an unknown number of smartphones, as reported by the Financial Times. The spyware, developed by Israel’s NSO Group, allowed attackers to target users through the WhatsApp voice-call feature.

At the time WhatsApp did not indicate how many of its 1.5-billion users had been affected by the hack but encouraged users to update their apps to the latest version.

In my case, the hacker appears to have been able to use the spyware to gain access to the verification code, firstly via an SMS and then through voicemail, both of which I received on the day of the hack. The code was then used to access WhatsApp using my number but on another smartphone, leaving me without control of the account.

The police advised me to open a case of fraud against the attacker. My friend’s good deed was thankfully reversed when she instructed her bank of the fraud.

Senior lecturer at the Wits School of Law Verine Etsebeth says that in the case of a data breach “it is very hard to identify and trace the hacker and even if you succeed, the chances are he is a teenager sitting on the other side of the world. In other words, jurisdiction will become a very complex and costly problem.”

Hawks spokesperson Hangwani Mulaudzi said officers undergo international training that focuses on “digital forensics and investigative methodology”. Hopefully this training will keep the boulder of cyber-attacks at the top of the hill.

Asked to comment, WhatsApp said it “can’t provide information about who accessed the account or the time and location it was accessed”.

The police have come with a case number, but that’s all. And yes, I’m still using WhatsApp.

Thando Maeko is an Adamela Trust business reporter at the Mail & Guardian