In May of 2018, Jeff Bezos received a message on the WhatsApp application on his smartphone, from an account belonging to Saudi Arabia’s Crown Prince, Mohammed bin Salman. Bezos had previously communicated on the application with the Crown Prince, so the message didn’t bring up any red flags to Bezos or his cybersecurity team. However, a forensic evaluation of his phone later determined that this WhatsApp message was likely the source of his smartphone being hacked.
How Did This Happen?
The Crown Prince’s message allegedly contained malware code that implanted itself on Bezos’ device. The malicious code acted like a trojan horse, deploying itself as soon as the file was opened by Bezos but without triggering any alarms or warnings. A trojan horse is a specific type of malware masked as a legitimate computer program (in this case it was the file attachment in WhatsApp). This attachment appeared to have a useful purpose but also had a hidden and malicious purpose that compromised Bezos’s smartphone. Whether the Crown Prince’s WhatsApp account was also breached remains to be determined and is currently under investigation. Attribution in this phone hacking incident appears to indicate that the Saudi Crown Prince was behind the attacks, however, it is always very difficult to prove such cases.
What Happened Once The Hackers Got In?
Once the hackers were inside Bezos’s smartphone the attacker(s) downloaded Gigabits of data from it, including photos and private conversations. As you may know, this led to incriminating photos being released publicly of Bezos with his mistress, a very public divorce, and a roast at the Oscars by Chris Rock, all because of a cyber-attack.
WhatsApp Security Flaws
The WhatsApp application has been under fire lately because of these critical flaws reported and patched in the past year. There may still be flaws in the application that require special steps by users to protect themselves from being successfully attacked.
For example, a recent Forbes online news article wrote:
This weekend, a friend in a group chat warned the rest of us not to open a message from her—she had been hacked, she said, and we should not “give away any six-digit numbers.” Attackers, it seems, had gained access to her WhatsApp account and captured the phone numbers of members of the group. They were then able to send WhatsApps to the other group members, telling them they were about to receive an SMS message and could they please send it back to her.
The attacker behind the hacked WhatsApp account was trying to get the six-digit verification code that was being sent out to the friends. With the attacker gaining this code they can essentially take over the WhatsApp account and have the account on an illegitimate device. When someone installs WhatsApp on a new device, that six-digit PIN is used to verify that the account is actually linked to the proper user. This is similar to a SIM Swapping attack, which involves taking over a victim’s phone by swapping SIM cards. If this happens to you, please read this explanation of what to do from WhatsApp themselves.
What Can Be Done?
First, you could delete the App and stop using it until its security is improved. Since that’s unlikely for many of you, there are important steps to take to defend against these WhatsApp Account takeover risks. In the WhatsApp application, set up a PIN to protect your account. Don’t forget to also setup an email address to get back into your account should you forget that PIN. This is separate to the previous six-digit code mentioned earlier, used to verify a new installs. Setting this WhatsApp feature up is called “Two-Step Verification” or “Two-Factor Authentication” (2FA). Setting up 2FA on all your critical accounts is a best practice CyberHoot strongly recommends to defend against attackers.