Full Report
CTM360 has identified a rapidly expanding WhatsApp account-hacking campaign targeting users worldwide via a network of deceptive authentication portals and impersonation pages. The campaign, internally dubbed HackOnChat, abuses WhatsApp’s familiar web interface, using social engineering tactics to trick users into compromising their accounts. Investigators identified thousands of malicious URLs
Analysis Summary
# Incident Report: Global WhatsApp Session Hijacking Campaign (HackOnChat)
## Executive Summary
CTM360 identified a rapidly expanding, global campaign dubbed "HackOnChat" targeting WhatsApp users via deceptive authentication portals and impersonation pages. The attackers utilized sophisticated social engineering, abusing WhatsApp Web interfaces to achieve session hijacking and account takeover. The campaign has resulted in hundreds of confirmed incidents, primarily spreading phishing attacks and data theft across the Middle East and Asia.
## Incident Details
- Discovery Date: November 20, 2025 (Date of CTM360 report)
- Incident Date: Ongoing, with a noticeable surge in recent weeks.
- Affected Organization: Individual WhatsApp Users (Global)
- Sector: Cross-Industry / Social Media Users
- Geography: Worldwide, with a surge noted across the Middle East and Asia.
## Timeline of Events
### Initial Access
- Date/Time: Ongoing (Recent weeks saw a surge)
- Vector: Social Engineering via malicious links delivered through WhatsApp messages.
- Details: Attackers deployed thousands of malicious URLs hosted on inexpensive TLDs. Links impersonated WhatsApp Web interfaces, group invites, or fake security alerts, optimized with multilingual support and country selectors.
### Lateral Movement
- Date/Time: Post-Account Takeover (Implicit)
- Vector: Compromised WhatsApp account.
- Details: Once control was gained, the compromised account was used to immediately target the victim's contact list by sending phishing messages, propagating the attack chain.
### Data Exfiltration/Impact
- Date/Time: Post-Account Takeover (Implicit)
- Vector: Unauthorized access to account data.
- Details: Attackers sifted through messages, media, and documents to steal personal, financial, or private data, potentially for fraud or extortion purposes.
### Detection & Response
- Date/Time: Identified by CTM360 investigative process.
- Vector: Threat Intelligence gathering and analysis of malicious URL infrastructure.
- Details: CTM360 identified the infrastructure and techniques, leading to the public report detailing the scope of the "HackOnChat" campaign. (Specific containment/eradication actions by end-users or WhatsApp were not detailed in the provided text.)
## Attack Methodology
- Initial Access: Phishing and social engineering using deceptive authentication portals resembling WhatsApp Web or group invitations.
- Persistence: Maintaining access via hijacked WhatsApp Web sessions (Session Hijacking) or retained authentication keys (Account Takeover).
- Privilege Escalation: Not explicitly detailed, but the goal is full account control by obtaining authentication keys.
- Defense Evasion: Rapid generation and deployment of new malicious URLs across inexpensive TLDs, making infrastructure takedowns non-trivial.
- Credential Access: Deceiving victims into entering authentication keys on fake portals.
- Discovery: N/A (Focus is on deception, not deep network scanning).
- Lateral Movement: Spreading the phishing links to the victim's established contact list.
- Collection: Sifting through messages, media, and documents within the compromised WhatsApp account.
- Exfiltration: Stealing personal, financial, or private data for fraud/extortion.
- Impact: Financial fraud (requests for money), data theft, and secondary phishing against contacts.
## Impact Assessment
- Financial: Requests for money from compromised accounts; potential financial fraud based on stolen data.
- Data Breach: Theft of personal, financial, or private data residing in WhatsApp messages/media.
- Operational: Disruption to targeted contacts who fall victim to the ensuing secondary phishing attacks.
- Reputational: Damage to the trust relationship between users and the WhatsApp platform due to the successful exploitation of its familiar interface.
## Indicators of Compromise
- Network Indicators (Defanged): Thousands of malicious URLs hosted on inexpensive TLDs, optimized regionally.
- File Indicators: Not applicable (Primarily web-based session hijacking).
- Behavioral Indicators: Push links using fake security alerts, WhatsApp Web lookalike portals, and spoofed group-invite messages.
## Response Actions
- Containment Measures: (Not explicitly detailed in the provided text; inferred response would involve reporting malicious URLs to domain registrars/hosting providers.)
- Eradication Steps: (Not explicitly detailed.)
- Recovery Actions: (Not explicitly detailed; recovery involves users revoking active sessions and changing linked device information on WhatsApp.)
## Lessons Learned
- Social engineering remains highly scalable, especially when exploiting interfaces users implicitly trust (like WhatsApp Web).
- Attackers are effectively abusing cheap infrastructure (inexpensive TLDs) and modern website-building platforms to rapidly deploy and replace phishing sites.
- The familiar context of WhatsApp (group invites, security alerts) lowers user guard.
## Recommendations
- Users must be educated to *never* enter WhatsApp credentials (QR scans or authentication keys) on external, non-official domains, regardless of how official they appear or the urgency of the message.
- Implement stringent monitoring for common WhatsApp interface cloning behavior across newly registered domains.
- WhatsApp/Meta should review notification templates used in security alerts to mitigate their potential for misuse in phishing campaigns.