The scam has been in use for years, but users continue to be fooled by it.
It involves tricking users into sending a login code.
The hacked accounts can then be used for further fraudulent activity, such as posing as the person whose account was hacked and asking for money.
Taking control of an account gives the hackers access to the user’s list of contacts.
They then try to log into one of those accounts, asking WhatsApp to send them a six-digit login code via SMS. The SMS is received by the account’s legitimate owner.
The hackers then send the target a message via WhatsApp, posing as the friend the account belonged to before being hacked.
They pretend to have lost access to their WhatsApp account and to have sent the six-digit login code to the wrong person, asking the target to send them a screenshot of the login code.
A person lured by the attack told the BBC it was only a day later that he realised he had sent the login code for his own account to a scammer.
“The safety and security of our users and their messages are really important to us,” WhatsApp said in a statement.
“However, just like regular SMS or phone calls, it’s possible for other WhatsApp users who have your phone number to contact you.”
The company advised users to never give a password or SMS secuity code to anyone, not even friends or family, and to enable two-step verification for additional protection.
Singapore police warned last week of a scam spreading in the country that makes use of hacked WhatsApp accounts.
Targets receive a message from the account of a contact whose account has been hacked, telling them about an auction of gold bars that were supposedly seized by customs authorities.
The scammers send a fake invoice for the gold bars, which are supposedly being sold at 30 percent below the market rate, and instruct the target to make payments to a list of accounts.
Police also warned that hackers are using a voicemail verification scam to hack into WhatsApp accounts.
The attacker attempts repeatedly to log into the target’s WhatsApp account, after which WhatsApp prompts them to verify their account via a phone call.
The service then calls the legitimate user’s phone with a verification code. If the call isn’t picked up and voicemail is enabled, the automated service leaves the verification code on the user’s voicemail.
The hackers can then access the user’s voicemail if they haven’t changed the default PIN number, using the verification code to hijack the WhatsApp account, Singapore police said.
They encouraged users to turn on two-step verification and to change their service provider’s default voicemail PIN code.
WhatsApp has also published an online guide for keeping accounts safe.
Top adviser to French President holds talks with Israeli counterpart to discuss NSO spyware allegedly…