Threat Research

WhatsApp Scam Spreads: Lend Me Money Requests and Active Sessions Alert

Italy-Cert-agid
WhatsApp Scam Spreads: Lend Me Money Requests and Active Sessions Alert

Recent reports describe a widespread WhatsApp scam in which attackers take over a victim’s account and send urgent money requests to the victim’s contacts, often citing unexpected expenses like medical bills. Users are urged to verify requests via another channel, close all active WhatsApp sessions (including WhatsApp Web), check archived chats, enable two-step verification, and report incidents to authorities. #WhatsApp #WhatsAppWeb

Keypoints

  • Attackers compromise WhatsApp accounts and use the victim’s contact list to send fraudulent money requests to friends, colleagues, and family.
  • Messages appear to come from a known contact and exploit trust and urgency to push recipients into immediate payments.
  • If active sessions (including WhatsApp Web and other connected devices) are not manually disconnected, attackers can maintain access and continue the scam even after some recovery attempts.
  • Fraudulent messages can be sent from archived or rarely used conversations, so victims may not notice the activity right away.
  • Recipients should not act impulsively: verify any unexpected money request via a phone call or an alternate channel before sending funds.
  • Mitigations include closing all active sessions, reviewing archived chats, enabling two-step verification, informing contacts about the compromise, and reporting incidents to authorities.

MITRE Techniques

  • [T1078 ] Valid Accounts – Attacker takes control of a victim’s WhatsApp account and uses the address book to contact others; ‘the attacker takes control of the victim’s WhatsApp account and uses their address book to contact friends, colleagues and family.’
  • [T1566 ] Phishing – Social-engineering messages leverage trust and urgency to coerce recipients into sending money; ‘the message leverages trust and urgency to push for immediate payment.’

Indicators of Compromise

  • [None ] The article does not report technical IOCs such as IP addresses, domains, file hashes, or filenames; it describes behavioral indicators like unauthorized messages from a known WhatsApp contact and persistent active sessions.

Read more: https://cert-agid.gov.it/news/si-diffonde-la-truffa-whatsapp-prestami-dei-soldi-attenti-anche-alle-sessioni-attive/