Executive Summary

Corporate entities in Hyderabad, India, are being targeted by a sophisticated and highly effective cyber fraud campaign that leverages WhatsApp Web to impersonate senior executives. The Hyderabad Police have issued a warning after several companies were duped out of large sums of money. The attack is a multi-stage process that combines phishing, malware, and social engineering. Attackers first gain remote access to a corporate computer via a malicious email link. They then lay dormant, waiting to hijack an active WhatsApp Web session belonging to a high-level executive. Using the executive's legitimate account, they send urgent payment instructions to the finance department, creating a sense of urgency to bypass normal verification procedures. This scheme's success lies in its use of a trusted communication channel to execute a classic business email compromise (BEC) style fraud.

Threat Overview

The attack follows a clear and patient methodology:

1. Phishing: The attack begins with a phishing email sent to a corporate email address. An employee clicking a malicious link downloads and installs malware.
2. Malware Deployment: The malware provides the attackers with complete remote access to the compromised computer.
3. Dormant Phase & Reconnaissance: The attackers wait patiently, monitoring the user's activity. Their target is an active WhatsApp Web session, particularly one belonging to a CEO, CFO, or other senior executive with financial authority.
4. Session Hijacking: Once an executive's WhatsApp Web is active on the compromised machine, the attackers take control of the session. They now have the ability to send and receive messages as that executive.
5. Impersonation & Social Engineering: The attacker, posing as the executive, sends an urgent message to an employee in the finance or accounting department. They typically invent a scenario requiring an immediate, large fund transfer (e.g., 'closing a secret deal').
6. Bypassing Verification: To prevent the fraud from being discovered, the attacker uses social engineering, claiming to be in a critical meeting and unable to take a phone call for verification. This pressure, combined with the apparent legitimacy of the request coming from the CEO's real WhatsApp account, often leads the employee to comply.
7. Financial Loss: The employee transfers the funds to a bank account controlled by the fraudsters, resulting in significant financial loss for the company.

Technical Analysis

This attack is a masterful blend of technical compromise and psychological manipulation.

• Initial Access: Standard phishing (T1566.002 - Spearphishing Link).
• Execution & Persistence: A Remote Access Trojan (RAT) is installed, giving the attacker a foothold (T1219 - Remote Access Software).
• Key Component - WhatsApp Web: The entire fraud hinges on the nature of WhatsApp Web, which links to a phone's session and stays active on a computer. By compromising the computer, the attackers gain access to the already-authenticated WhatsApp session.
• Social Engineering: This is a form of Business Email Compromise (BEC), but using a different, often more trusted, communication medium.

Impact Assessment

• Direct Financial Loss: Companies have reported losing crores of rupees (millions of USD) to this scam.
• Internal Trust Erosion: The incident can create suspicion and distrust within the company, as it exploits the trust between employees and senior management.
• Operational Disruption: Investigating the fraud, dealing with law enforcement, and attempting to recover funds causes significant operational disruption.

Detection & Response

• EDR: An Endpoint Detection and Response solution could detect the initial malware installation and the remote access software's activity.
• Network Monitoring: Monitoring for outbound connections to known malicious C2 servers could identify the compromised machine.
• Human Sensor: The primary detection point is the finance employee who receives the request. Training is key to turning them into a strong line of defense.

Mitigation

Mitigation requires a combination of technical controls and robust user training.

Technical Controls

• Email Security: Use advanced email security solutions to block phishing emails before they reach employee inboxes.
• Endpoint Protection: Deploy and maintain up-to-date EDR and antivirus solutions on all endpoints.
• Restrict Software: Use application control policies to prevent users from installing unauthorized software.

Process & Training Controls

• Mandatory Multi-Channel Verification: This is the most critical mitigation. Institute a strict, non-negotiable policy that any request for financial transfers, especially those that are urgent or unusual, must be verified through a secondary channel, preferably a direct phone call to a known number for the executive. The excuse of being 'in a meeting' should be an immediate red flag.
• Cybersecurity Awareness Training: Conduct regular, engaging training for all employees, with specific modules on phishing, social engineering, and BEC-style fraud. Use real-world examples like this one.
• WhatsApp Usage Policy: Advise employees, especially senior executives, to be diligent about logging out of WhatsApp Web sessions on shared or office computers.