Brinztech Alert: “HackOnChat” Campaign Deploys Thousands of URLs to Hijack WhatsApp Accounts; UAE Warns of Zero-Day

Web News Analysis

A massive new cyber-fraud campaign dubbed “HackOnChat” has been uncovered by cybersecurity firm CTM360. The campaign targets WhatsApp users globally by deploying thousands of malicious URLs hosted on inexpensive domains.

The “HackOnChat” Vector (Phishing & Session Hijacking): This campaign exploits the trust users place in the “WhatsApp Web” interface. Attackers use two primary tactics:

1. Session Hijacking: Attackers trick users into scanning a QR code on a fake site, which links the attacker’s device to the victim’s WhatsApp account via the legitimate “Linked Devices” feature. This grants persistent, mirrored access to all chats without the user’s knowledge.
2. Account Takeover: Users are lured to cloned login portals and tricked into entering their SMS One-Time Passcodes (OTP). Once the attacker has the OTP, they take full control of the account on their own device.

The “Zero-Day” Vector (UAE Warning): In a separate but concurrent development, the UAE Cybersecurity Council has issued an urgent warning regarding a dangerous “zero-day” vulnerability. This flaw reportedly allows hackers to compromise smartphones via a single WhatsApp call from an unknown number, even if the user does not answer. This “zero-click” exploit can grant access to photos, conversations, and account fingerprints.

Key Cybersecurity Insights

These incidents highlight the dual threat facing mobile users: massive social engineering combined with high-level technical exploits.

• The “Linked Device” Blindspot: The “HackOnChat” campaign weaponizes convenience. Many users do not realize that “linking” a device grants persistent access that survives even if the phone moves to a different network. Attackers use this to monitor conversations silently or launch cascading scams against the victim’s contact list.
• Cascading Trust Exploitation: Once an account is hijacked, attackers rarely stop there. They leverage the “social graph,” messaging friends and family pretending to be the victim to request money or sensitive data. Because the message comes from a “trusted” contact, the success rate is significantly higher than standard phishing.
• Zero-Click Escalation: The UAE’s warning about a “one-call” hack moves the threat level from user error to platform vulnerability. Zero-click attacks are typically associated with state-sponsored spyware (like Pegasus) but are increasingly trickling down to broader cybercrime.
• Infrastructure Scale: The deployment of thousands of multilingual, country-specific phishing sites indicates a highly organized, automated cybercrime operation, likely operating out of the global “scam centers” Meta has been attempting to dismantle.

Mitigation Strategies

In response to these threats, WhatsApp users and organizations must take immediate action:

• Audit “Linked Devices” Immediately: Open WhatsApp on your phone, go to Settings > Linked Devices. Review the list. If you see any browser or device you do not recognize (e.g., “Google Chrome (Windows)” when you use a Mac), log it out immediately.
• Enable Two-Step Verification (2SV): Go to Settings > Account > Two-Step Verification. Set up a 6-digit PIN. This prevents an attacker from registering your number on a new device even if they steal your SMS OTP.
• Silence Unknown Callers: To mitigate the “zero-day call” risk, go to Settings > Privacy > Calls and turn on “Silence Unknown Callers.” This may block the exploit trigger from ringing the device.
• Update Immediately: Ensure your WhatsApp version is the absolute latest. Zero-day vulnerabilities are often patched quickly once discovered; running an old version leaves you exposed.

Secure Your Business with Brinztech — Global Cybersecurity Solutions Brinztech protects organizations worldwide from evolving cyber threats. Whether you’re a startup or a global enterprise, our expert solutions keep your digital assets safe and your operations running smoothly.

Questions or Feedback? For expert advice, use our ‘Ask an Analyst’ feature. Brinztech does not warrant the validity of external claims. For general inquiries or to report this post, please email us: contact@brinztech.com