More than eight days after the WhatsApp accounts of CONFIDENTIAL and Bacanalnica were usurped by unknown individuals who used them to distribute pornographic material and propaganda of the ruling Sandinista Front, and the failed attempt against the account of the Article 66 platform, the Tigo telephone company, in Nicaragua, which manages these numbers, has not been publicly pronounced on the case, while doubts persist about how they accessed the verification SMS of those numbers. Along with the kidnapping of these accounts, the usurpation of the Canal 10 account was also revealed, which occurred months ago, with a number from the Claro company, which has not given an answer either.
Directly, the Business Service and Product and Technology departments of Tigo Nicaragua established contact with CONFIDENTIAL, succinctly assuring that they carried out an investigation of the case and that they found no evidence of vulnerability in the security of the telephony.
However, national and international specialists on security issues, consulted by CONFIDENTIAL, do not rule out that those who directed the attack against media accounts had access to private information, such as SMS or voicemail.
However, vulnerabilities are also present in the WhatsApp messaging application, despite its security and message encryption, which were exploited by people with computer knowledge to hijack accounts.
Last January 6, CONFIDENCIAL suspended the sending of its Informative Alerts via WhatsApp after his number was compromised, with various attempts that ended with the usurpation of the account.
“The hacker had access to the WhatsApp verification SMS, set new codes, changed the WhatsApp account. CONFIDENTIAL from WhatsApp Business (configured for companies) to WhatsApp Messenger (used by natural persons) and modified the biography of the account, to show off its theft. In the account where you were previously invited to subscribe to Informative Alerts, the usurper posted the message: “Number stolen by the most powerful in Nicaragua. Sincerely, I am Immortal.” in capital letters, followed by a Nicaraguan flag,” he denounced CONFIDENTIAL in a note to his readers.
Similarly, Bacanalnica satire blog He denounced a day later that his account was compromised, his number was activated on another mobile device and the WhatsApp account was migrated.
“The number was stolen and they created a new WhatsApp account with the same number,” explained the blog’s author, Manuel Díaz. According to the blogger, also a specialist in marketing and digital security, he managed to establish contact with the usurper of the account, who assured him that he did have access to the contacts and sent him screenshots to prove it, although the attacker would not have had access to the content. of messaging.
Specialists in security issues and technology enthusiasts agreed that it could have been several simultaneous attacks on the media, which would have also escalated to other people who did not publicly denounce the usurpation.
The attempted attack on Article 66
The Article 66 platform was also affected and reported that they tried to violate their WhatsApp account. In a note to their readers they stated that they had two-step authentication activated, and only suffered a temporary account suspension for nine hours, retaking control of the account days later.
Álvaro Navarro, director of Article 66, told CONFIDENTIAL that “this was the first (attempt to enter the account), which WhatsApp reported to us, but for them to block it (the attacker) had to do several.”
According to Navarro, having the two-step authentication enabled by WhatsApp was one of the reasons why the Article 66 account was not compromised.
However, Díaz denounced from his blog that they also had activated this additional security step and in any way his account was usurped. The same thing happened with CONFIDENTIAL, which had authentication enabled with a corporate email, which was changed by the attacker.
WhatsApp vulnerabilities
A Nicaraguan security specialist, who asked that his name be omitted for fear of reprisals, explained to CONFIDENTIAL that WhatsApp has many vulnerabilities that allow third parties to access accounts that, in theory, are private.
One way to exploit these vulnerabilities is in the two-factor authentication offered by the application. This procedure or 2FA, for its acronym in English, refers to an extra layer of security that users can add to a WhatsApp or email account.
“According to two previous cases that I have seen, and from my experience, what happens is that when you activate 2FA, WhatsApp offers you the option of placing a recovery email in case you forget those codes. If you skip that step, when trying to install the app on another phone and you forget the codes, WhatsApp offers you the option to ‘install anyway’ under the condition that you lose all backup messages and contacts you have backed up on that account.” detailed the specialist.
CONFIDENTIAL followed all the steps established by the Whatsapp support area, with their corresponding processes, and escalated the complaint through international organizations specialized in digital security. Still, the response from the app took more than a week. Currently, the WhatsApp account of CONFIDENTIAL was unsubscribed, an action to which readers also contributed following the recommendation to report and block the number after the obscene messages.
The specialist added that the other vulnerability of the application —known for almost ten years on the Internet— is popularly called “mailing”. It consists in that when the “hacker” tries to access your account from another phone, and the account asks him to verify the security code, he chooses the option of doing it by means of a telephone call that arrives directly to the voicemail of the number in question.
“They write to Tigo’s WhatsApp number and there they request a pin change through ‘the Lisa bot’ that allows them to change the pin of my voicemail simply by providing some answers (personal information) and then supposedly passes you to an operator of Tigo who agrees to change your voicemail number. (…) They, with a specialized program, manage to enter my mailbox, enter the confirmation pin and manage to listen to the code”, explained a technology enthusiast who has been a victim of this method.
Cybercrime Law and internal collaborator
Specialists also point out that the Special Cybercrime Law would be giving access to user information to political officials of the Government, who operate from authorized institutions.
The Special Cybercrime Law, approved by the Ortega Assembly in October 2020, it orders telephone companies to keep, for a period of one year, the records of telephone conversations, text messages, serial numbers of assigned equipment and even geolocation data of users.
Although the same law determines that this information may only be provided to the National Police, the repressive arm of the regime, and to the Public Ministry, in charge of fabricating crimes against opponents, the specialists do not rule out that information from the users to political operators.
“The attackers may have received information with the consent of the company, not necessarily at the institution level, but it did require collaboration. In summary, for your WhatsApp to be stolen, the attacker must have good technical knowledge to access the company’s system without your authorization, or have the collaboration of someone within it, let us remember that even if this were the case, the data preservation forces companies to provide the information of ‘state institutions’ that require it”, mentioned the specialist.
According to her, the same Cybercrime Law allows telephone companies to provide information on the terminals in which the numbers of the media were registered, and thus facilitate the understanding of what happened on the days that an attempt was made to violate security. of those accounts.
“This shows a concern that was already in the air. First, there is no such data privacy for the client and although legally the numbers do not belong to the users, but to the company, the client needs a guarantee of the proper use of the data”, he added.
CONFIDENTIAL tried to obtain an official version of what happened with the Tigo company, but the communications office did not respond to any of our requests.
How to protect your account?
Despite everything, users can take some measures to prevent their information from being violated, at least, which corresponds to activating the security barriers personally, experts value.
“At the end of last year I learned of a couple of activists who managed to steal accounts even though their accounts had 2FA,” he said after stressing that you have to know the security options offered by applications and not underestimate them, but configure them correctly. In addition, he indicated that in the case of journalists, activists and human rights defenders there are international support entities, such as Access Now, which together with Citizen Lab recently discovered the attack with the Pegasus espionage program against 35 journalists from El Salvador, including 22 of the digital medium El Faro.
Among the measures recommended for users is also not to skip the option to send the security key by email and opt for it instead of open calls and SMS, that is, through the telephone line, which may be engaged.
