Supriya Sule, MP from Baramati in Maharashtra's Pune district, posted on X on Sunday stating that her WhatsApp account had been hacked and asked people not to call or message her. Later, in a post on X, Sule urged people to "never share OTPs or click on unknown links".
Reportedly, a First Information Report (FIR) in the case has been registered late on Monday at Yavat Police station, and the investigation has been transferred to the Cyber Cell of the Pune Rural police. The NCP (SP) leader also said that she was being blackmailed after hackers demanded $400 from her team following the hacking of her WhatsApp account.
Sule, who got back access to her WhatsApp after three hours, told BOOM, "A friend of mine sent me a message and asked me to resend it as they had deleted it. The minute I sent the message, the app stopped working for me completely."
She added that those who tried to contact her afterward also had their phones hacked, creating a "complete mess".
Answering whether she had experienced such an hacking attempt before, Sule said, "This was the first time that the entire app had collapsed, but with the assistance of Pune Police and the cybercrime police, who have been very helpful throughout, my WhatsApp was restored."
Speaking to BOOM, Police inspector Umesh Tavaskar of cyber police station attached to Pune Rural Police said that Sule had received a link via a WhatsApp message, clicking on which, the messaging platform was hacked.
Tavaskar said, "We provided her with the SOP to file a complaint through Meta, which requires details such as an email ID and IMEI number. By evening, her WhatsApp was restored."
Regarding the ongoing investigation, the inspector said, "We have sent an email to Meta requesting information on who might be responsible. We have also asked for details on who logged into the affected WhatsApp account a day before it was hacked, including the IP address and the internet service used."
Previous Cases of WhatsApp Hacking
Last month, the WhatsApp account of Prafull Kumar Bharat, the Advocate General of Chhattisgarh, was hacked. The scammers used the compromised account to reach out to his acquaintances and fellow lawyers, requesting money under false pretenses. The scam was exposed when lawyers started receiving suspicious messages asking for financial assistance, supposedly from Bharat himself.
In a similar case last year, Kolkata police cyber cell had issued a warning to WhatsApp users after complaints from a student and a businessman emerged about their messaging platform being hacked. The scam began with hackers impersonating victims on Facebook and contacting their friends through Messenger, pretending to organise yoga classes.
The scammers sent a link, asking recipients to click on it and share a six-digit OTP, which is actually a WhatsApp verification code. By sharing this code, users unknowingly gave hackers access to their WhatsApp accounts.
WhatsApp, in 2019, was also exploited by Israeli surveillance firm NSO Group, for hacking into the phones of several diplomats, political dissidents, journalists, along with military and government officials. The messaging platform had sued NSO accusing it of helping clients break into the phones of roughly 1,400 users across four continents.
Reportedly, WhatsApp had privately warned the targeted individuals that they had allegedly been the victims of cyber-attacks designed to secretly infiltrate their mobile phones. Of those allegedly affected by NSO's Pegasus spyware, 121 were based in India.
WhatsApp Hacking: Key Signs and Safeguards
Speaking to BOOM, Sule advised people "to be very careful as these attacks can be from known contacts", as in her case. BOOM spoke to cyber security experts who delved into the modus operandi and safeguards related to WhatsApp hacking.
Rupesh Mittal, a cyber crime consultant, highlighted that WhatsApp cannot be hacked directly due to its end-to-end encryption and lack of login credentials. Outlining the methods by which WhatsApp could be compromised, nonetheless, he mentioned, "A scammer might deceive someone into installing a screen-sharing app, sharing their OTP, or using a keylogger."
A keylogger is a type of surveillance technology used to monitor and record each keystroke made on a computer or mobile device. Hackers can use keyloggers to steal sensitive information, such as passwords and personal data, by recording everything typed on a victim's device without their knowledge.
Sending malicious link to enable either of the three hacking techniques is a common modus operandi, Mittal added.
Ritesh Bhatia, a Mumbai-based expert, told BOOM that bad actors usually employ the call forwarding technique to scoop out OTPs from their target. Call forwarding is a feature that allows incoming calls to be redirected to another phone number. Instead of ringing on the original number, the call is automatically transferred to the designated number, which could be a landline, mobile phone, or even a voicemail service.
Bhatia explained, "A scammer just needs to convince their victim to dial '*401#' followed by the number to which calls will be forwarded. When setting up WhatsApp, instead of choosing to receive the OTP via SMS, the scammer selects the call option, allowing the OTP call to be redirected to them."
After they log in to WhatsApp, they enable two-factor authentication from their end, causing the victim to lose access to their account, he added.
Two-factor authentication (2FA) is an additional layer of security used to ensure that only the rightful owner can access an account or system. For example, when one logs into an account, they first enter password (the first factor). Then, they are prompted to provide a second piece of information, such as a one-time code sent to their phone or generated by an authentication app (the second factor).
This makes it much harder for unauthorised users to gain access, even if they have one's password.
According to Bhatia, making 2FA mandatory is the easiest solution which even OTP validation cannot break. He highlighted that the onus of safeguards against hacking should lie completely on the intermediary, which in this case is the Meta-owned WhatsApp.
"The platform has security by design, why not make it by default. It is not like WhatsApp will lose users over it because everybody cares about their security," he said.