Post

Phishing Analysis of WhatsApp Verification Scam

Posted
Preview Image
By Abdulrahman Tamim
2 min read
Phishing Analysis of WhatsApp Verification Scam

Background: How the Lure Arrived

A few hours ago my friend sent me a screenshot of a conversation with a random unknown number that is inviting him to a WhatsApp group and asking him to click a link.

If you aren’t an Arabic native speaker, the convo is simply a greeting and an invitation to a “cultural” WhatsApp group. Let’s dig into what he got.

Initial Recon: Check the URL and server

I started by inspecting the URL: whhtsapgrp.vercel.app. It appears to be a web app deployed on Vercel that uses backend features to store harvested user data. Before assuming anything, I used curl to see if the site grabs my IP via an API.

Findings from the initial probe:

  1. There’s Telegram API communication present, and it looks like the bot API key and chat ID are embedded in the application. From experience, these builders sometimes leave them client-accessible.
  2. The site collects visitor IP addresses (likely used to detect country codes for WhatsApp).

Operational safety: VPN & test environment

Before interacting more, I covered my real IP with a VPN. I used the RiseVPN Open API to fetch an OpenVPN config (I have an automated script that chooses the best latency):

I ran OpenVPN configs and prepared to interact with the web interface.

Exploring the web interface

On visiting the page, it correctly detected the VPN country using an IP geolocation API and selected the appropriate country code:

I then attempted to input a phone number while capturing traffic with Burp Suite to see how the server reacts:

Result: Jackpot — I found the bot username and evidence of bot integration.

Jackpot — exposed bot info

ANDDD JACKPOTT!! 🎉🤩 I FOUND THIS GUYS USERNAME AND BOT NAME — BOOMMM!!

This “vibe coder” didn’t secure client access to backend resources. That raises a red flag for Telegram bots used in WebApps. I dug into the bot configuration.

Note: The API key and chat ID are exposed, which effectively allows anyone to read and write messages via the bot. I fetched recent messages to confirm.

Status of the scam and contacting the operator

Fortunately, the scam was still fresh and not many had fallen for it (yet). For fun and intel, I engaged the operator briefly.

This is what I call ragebating. I also submitted a report to Telegram’s abuse system.

Findings — quick summary

  • Exposed Telegram bot token and chat ID enabling read/write access via the bot.
  • IP logging via GeoIP — potential location inference.
  • Backend endpoints lack authentication — poor security hygiene.

Remediation & Recommendations

For the Operator

  • Revoke the exposed Telegram bot token immediately and rotate secrets.
  • Remove secrets from client-side code; use environment variables and secret management.
  • Add authentication and rate limiting to backend APIs.
  • Validate and sanitize phone numbers; obtain consent before storing or forwarding data.

For Readers

  • Don’t click unknown WhatsApp group invites.
  • Enable two-step verification on WhatsApp.
  • If you submitted a number, monitor for suspicious messages and notify contacts if necessary.
  • Report suspicious pages to Telegram and your local CERT.

Happy Hacking!

CyberSecurity
Threat Hunting
This post is licensed under CC BY 4.0 by the author.