Hackers hijack executives "WhatsApp Accounts"

✨ Megiddo

✨ President ✨
Staff member
968
261
The CEO email scam has reached a new level. Now, attackers aren't just spoofing the manager's name in emails; they're intercepting their WhatsApp messages and sending messages impersonating the real account owner.

A new scheme, dubbed "Boss Scam," has been described by cybersecurity investigators. It combines social engineering, third-party DLL downloading, and WhatsApp Web session hijacking.

It all begins with a message purportedly sent from a regulator or government agency. The victim is prompted to urgently review documents or comply with demands, attaching a ZIP archive. Inside is an executable file and a DLL. Upon startup, Windows automatically loads the malicious DLL, allowing the malware to gain a foothold in the system.

1-1782791202142-581c70e1-6bbd-4399-8ccc-1fe913891c04.png


Then, the target changes. Instead of encrypting files or destroying data, the attackers are interested in an active WhatsApp Web session. If found, the attackers gain the ability to read conversations and send messages impersonating the manager without bypassing two-factor authentication on the smartphone.

This is where the real danger begins. The finance department receives a completely routine message from the CEO requesting an urgent transfer of funds or change of bank details. Since the message comes from a legitimate account, it is significantly more trustworthy than a typical phishing email.

In some attack variants, the malware also modifies local contacts on the infected computer, replacing the attacker's phone number with the CEO's name. This helps maintain the illusion of authenticity even after the hijacked web session ends.

Experts warn that the attack targets not so much the IT infrastructure as the companies' business processes. Therefore, antivirus software alone will not be sufficient protection.

Specialists recommend confirming any urgent payment orders through an independent communication channel (for example, by phone or in person), not running unknown EXE files from instant messaging apps, monitoring connected devices in WhatsApp Web, and monitoring suspicious DLL downloads and attempts to steal user tokens.