Skip to main content
Qubicbox

03/10/2024

WhatsApp invoice phishing against new agents

Attackers impersonate marketplace support on WhatsApp, request OTPs, and hijack agent accounts to divert orders and payouts.

Tags

messaging, impersonation, agents

Incident overview

Fraud actors monitor onboarding agent forums and send WhatsApp messages that mirror official marketplace branding. They warn that verification will be revoked unless documents or one-time passwords are shared immediately. When the OTP is supplied, the attacker resets account credentials, swaps payout details, and harvests customer data.

Customer impact

  • Orders rerouted to mule-run stores causing stock-outs and refund claims.
  • Agents suffer reputational damage and require manual reinstatement.
  • Support workload spikes due to password resets and restitution requests.

Indicators to monitor

  • OTP requests originating outside the marketplace UI or dashboard.
  • New devices logging into agent accounts from previously unseen ASN/IP ranges.
  • WhatsApp numbers not listed in the official partner registry but referencing legitimate support ticket IDs.
  • Rapid changes to payout banks within 30 minutes of password reset events.

Preventive controls

  1. Require all sensitive actions (payout changes, API keys, verification uploads) to be confirmed through the dashboard with step-up authentication.
  2. Publish a live support contact directory and surface contextual banners that Qubicbox never asks for OTPs or passwords over messaging apps.
  3. Feed malicious phone numbers, message hashes, and media into Qubicweb for takedown coordination with telcos and WhatsApp Business support.
  4. Rate limit verification-change attempts and lock accounts after three failed OTP entries.

Response checklist

  • Freeze payouts and API tokens associated with the compromised agents.
  • Trigger the agent recovery workflow: identity re-verification, payout validation, and communication template dispatch.
  • Notify affected buyers about potential invoice fraud and provide restitution timelines.
  • File abuse requests with WhatsApp Business Support including screenshots, message hashes, and affected phone numbers.
  • Document the incident in the Trust Notes changelog and publish advisories to partner marketplaces.

References & playbooks

  • NDPR/NDPA breach notification thresholds and timelines.
  • Qubicbox Agent Recovery Runbook v2.3.
  • WhatsApp Business Platform Acceptable Use Policy.