Listen to this Post
Introduction:
A sophisticated new social engineering scam is exploiting a fundamental feature of modern communication—WhatsApp’s screen-sharing capability—to completely bypass multi-factor authentication (MFA) protections. By convincing victims to share their screens during a malicious video call, attackers can observe and capture one-time passwords (OTPs) in real-time, leading to devastating financial losses, as evidenced by a single case in Hong Kong where a victim lost approximately US$700,000. This attack vector represents a critical evolution in social engineering, turning a common collaboration tool into a powerful weapon for cybercriminals.
Learning Objectives:
- Understand the technical and psychological mechanics of the WhatsApp screen-sharing scam.
- Learn how to detect and prevent this type of social engineering attack through technical controls and user awareness.
- Implement hardening measures for personal and enterprise communication platforms to mitigate similar threats.
You Should Know:
- The Anatomy of the Attack: From Phishing Call to Financial Theft
The scam is a multi-stage social engineering attack that leverages trust, urgency, and technology. It begins with an unexpected video call from a number spoofed to appear as a legitimate entity, such as a bank, a government agency, or, as reported by ESET, a support agent from Meta. The caller creates a sense of urgency—claiming a security breach with the victim’s account or suspicious transaction activity. Once trust and panic are established, the attacker guides the victim to activate WhatsApp’s native screen-sharing feature, ostensibly to “help” resolve the issue. With screen-sharing active, the attacker can see everything on the victim’s screen in real-time. The final step involves directing the victim to their online banking app or email. When the victim logs in, the attacker sees the username, password, and, most critically, the OTP sent via SMS or generated by an authenticator app, granting them full access to the account.
2. Why This Bypasses Traditional Multi-Factor Authentication (MFA)
Multi-factor authentication is designed to be a robust defense, requiring something you know (a password) and something you have (a phone for an OTP). This scam neutralizes the “something you have” factor by making it visible. The OTP is no longer a secret token known only to the legitimate user; it becomes a transient on-screen value observed simultaneously by both the user and the attacker. This represents a fundamental flaw in relying solely on MFA that can be visually intercepted. The attacker doesn’t need to crack encryption or breach a server; they simply need to watch the victim’s screen at the right moment.
3. Technical Detection: Monitoring for Unauthorized Screen-Sharing Sessions
While difficult, there are technical indicators that can signal unauthorized screen-sharing. On mobile devices, screen-sharing typically triggers a persistent, highly visible notification or icon that cannot be easily dismissed. Users must be trained to recognize this. For enterprise environments, Mobile Device Management (MDM) solutions can sometimes monitor for active screen-sharing sessions, though this is privacy-invasive. A more practical approach is using network monitoring to detect unusual traffic patterns. On a local machine, you can check for active screen-sharing or remote access sessions.
Linux/macOS (to check for common remote access tools):
List all running processes and grep for common sharing/remote tools ps aux | grep -E "(TeamViewer|AnyDesk|Zoom|VNC|screensharing)" | grep -v grep Check for established network connections on common RDP/VNC ports netstat -tuln | grep -E ':(5900|5901|3389)' VNC and RDP ports
Windows (PowerShell):
Get processes related to remote access or screen sharing
Get-Process | Where-Object {$<em>.ProcessName -like "TeamViewer" -or $</em>.ProcessName -like "AnyDesk" -or $_.ProcessName -like "vnc"}
Check network connections (requires admin rights)
netstat -ano | findstr ":5900 :5901 :3389"
4. Proactive Hardening of Communication and Banking Apps
The first line of defense is configuring apps for maximum privacy and security. Within WhatsApp, navigate to Settings > Account > Privacy and ensure that your “Last Seen,” “Profile Photo,” and “About” are set to “Contacts” or “Nobody.” This limits the information scammers can use to personalize their attacks. For critical apps like online banking, use biometric authentication (fingerprint/face ID) wherever possible instead of passwords that can be shoulder-surfed. Furthermore, consider using a dedicated device or a secure profile for financial transactions—a device that is never used for casual communication or social media, drastically reducing its exposure to such scams.
5. The Human Firewall: Developing Institutional Skepticism
Technology alone cannot stop this scam; it requires a resilient human firewall. Security training must be updated to include this specific threat. Core principles to instill include:
Inbound Call Skepticism: Never trust an incoming call from an unknown number claiming to be from your bank or a tech company. Legitimate organizations will not initiate contact in this manner for urgent security issues.
The “Hang Up and Call Back” Rule: If you receive a suspicious call, hang up immediately. Then, independently find the official customer service number (via the bank’s official website or your card statement) and call them back to verify the claim.
The Golden Rule of Secrecy: Never, under any circumstances, share passwords, PINs, or verification codes. No legitimate support agent will ever ask for these. Sharing your screen with someone who has asked for this information is equivalent to handing them your ATM card and PIN.
- Incident Response: What to Do If You’ve Shared Your Screen
If you realize you have fallen for the scam, time is critical. You must act within seconds to minutes to potentially save your funds.
1. Immediately Terminate the Session: Disconnect the WhatsApp call, force-close the WhatsApp application, and turn off your device’s Wi-Fi and mobile data to sever the attacker’s live view.
2. Secure Your Accounts: Using a different, trusted device (e.g., a laptop), immediately log into your affected accounts (email, banking, social media) and change all passwords.
3. Contact Your Bank: Call your bank’s 24/7 fraud department using the number on the back of your card. Inform them you are a victim of real-time fraud and request an immediate freeze on all accounts and cards.
4. Report the Incident: File a report with your local law enforcement and relevant cybercrime authorities. Also, report the phone number and incident within the WhatsApp application by long-pressing the message or contact and selecting “Report.”
What Undercode Say:
- This scam is not a technical hack of WhatsApp but a masterful manipulation of human psychology, proving that the most advanced security protocols are worthless if the user can be tricked into revealing them.
- The attack effectively negates the primary benefit of MFA by turning it into a single-factor authentication system that is transparent to the attacker, demanding a re-evaluation of MFA implementation strategies, potentially moving towards phishing-resistant FIDO2 security keys.
The emergence of this scam signifies a pivotal shift in the social engineering landscape. Attackers are no longer just exploiting software vulnerabilities but are now weaponizing the very features designed for connectivity and productivity. The $700,000 loss in Hong Kong is not an outlier but a harbinger of a widespread threat. This attack is particularly insidious because it preys on individuals’ desire to resolve a pressing problem quickly, leveraging the authority of a trusted institution. It demonstrates that security awareness training must evolve beyond password hygiene and phishing emails to include real-time communication platform threats. Organizations must now consider the security implications of every collaborative feature they enable, balancing utility with the potential for abuse.
Prediction:
In the near future, we will see a rapid proliferation of this attack methodology across all video conferencing and collaboration platforms that offer screen-sharing capabilities, such as Zoom, Microsoft Teams, and Telegram. This will likely be followed by the development of automated malware designed to silently activate a device’s camera and screen-sharing functions without user consent. The cybersecurity industry will respond with more advanced behavioral analytics that monitor for the simultaneous occurrence of a video call and sensitive app usage, and we will see a accelerated enterprise adoption of hardware security keys for MFA, as they cannot be intercepted via screen capture. The arms race between social engineers and security controls is entering a new, more personal phase.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Michael Tchuindjang – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
