South China Morning Post
Advertisement
Advertisement
Crime in Hong Kong
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A spokeswoman for WhatsApp says the company has been working with Google to remove the fake adverts. Photo: Shutterstock
Hong KongLaw and Crime

Scam websites disguised as WhatsApp login pages top Google search results in Hong Kong despite efforts to remove them

  • Online search by Post finds up to four sham login pages replicating genuine WhatsApp site as top results for messaging platform’s web version
  • WhatsApp spokeswoman says company has worked with Google to take down the scam ads
Crime in Hong Kong
Jess Ma
Jess Ma
Why you can trust SCMP
Scam websites disguised as login pages for the WhatsApp messaging platform are still topping Google search results in Hong Kong despite efforts to remove them, prompting calls from experts for enhanced security measures given the low cost of advertising such fraudulent links.

An online search by the Post found up to four sham login pages replicating the genuine WhatsApp site as the top results for the instant-messaging platform’s web version, even though a company spokeswoman said it had acted against the fakes.

Hongkongers warned to watch out for hacked WhatsApp accounts after cases surge

“We worked with Google to take down the scam ads,” the WhatsApp spokeswoman said.

“We highly recommend that people only use official versions of WhatsApp from trusted sources, such as app stores or from our official site and to be suspicious of any unofficial sources.”

An insider on Friday said some scam pages had been taken down.

Police recorded a ninefold rise in the number of hijacked instant messaging accounts in a month. Photo: Shutterstock

An unprecedented surge in scam reports related to compromised WhatsApp accounts prompted police to issue a warning on Monday, urging residents to beware of fake login websites and to boost their security settings.

The force recorded a ninefold rise in the number of hijacked instant messaging accounts in a month, with 1,239 cases reported in September compared with 127 in August. Losses increased fourfold from HK$470,000 (US$60,110) in August to HK$2.3 million last month.

The top four results of a Google search by the Post for “WhatsApp web login” on Friday evening were links titled “WhatsApp web version” in simplified Chinese with URLs that had no meaning.

Hongkongers warned over WhatsApp con artists after 25 scam cases in week

One result had “wahhats.doflying” with a “.com” domain as the URL and was titled “WhatsApp web version – WhatsApp official website” in simplified Chinese. The website’s layout was like the authentic login page, aside from being written in simplified Chinese.

Fraudsters would gain access to a user’s account if the victim scanned a QR code on the page, which would connect it with the swindler’s device.

Having accessed an account, the tricksters could then attempt to impersonate the victim to scam contacts on their phone.

The Post found that fraudulent sites only appeared when using the Hong Kong versions of search engines, while accessing those in Japan and the United States did not yield any suspicious links on the first page of results.

The Post has also learned that WhatsApp is using multiple tools, including machine learning programs, to sniff out fake accounts and those linked to fraudulent activity. Accounts that breach the platform’s terms of service will be banned.

Information technology experts said online service providers should improve their cybersecurity measures.

Elderly Hong Kong man loses HK$11.4 million using bogus investment platform

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said internet giant Google had a responsibility to act against scammers exploiting its advertising functions to swindle users.

“Their responsibility lies in their awareness of the matter – if they are aware – that searches for WhatsApp contain scams in advertisements shown besides organic search results,” he said.

“Shouldn’t they be doing something to stop this, be it using AI [artificial intelligence] or manual searches?”

Francis Fong says scammers are exploiting a largely unregulated ad placement process. Photo: SCMP

Google has been contacted for comment.

Fong said scammers were exploiting a largely unregulated process to buy ad placements for specific keywords.

“Anyone can buy an advertisement without any registration requirement,” Fong said. “If Google had to verify whether the buyer was an actual agent for a brand, this wouldn’t work.”

He also said the interactive nature of scams made it hard for malware or obscene content detectors from internet platforms to weed them out.

Fong added that he believed the scammers operated locally, as they were adept at creating schemes involving smaller local brands to trick victims.

“If you cannot find these [fraudulent] search results when you search from other regions, this shows these scammers are quite local, and could be targeting specific regions,” Fong said.

Anthony Lai Cheuk-tung, a security researcher with cybersecurity firm VX Research, said the budget needed to buy a Google advert that appeared as a top search result would depend on competition for the keyword and the number of bids for it.

Data of 900 Hongkongers exposed in hack attack of WhatsApp accounts

“While it is relatively straightforward to create and run an ad campaign on Google Ads, securing a top search result can be more competitive and expensive, especially for popular or highly sought-after keywords,” Lai said.

But for less contested keywords such as “WhatsApp”, Lai estimated that each purchase for a fake login link would cost around HK$1,000 (US$128). Fong also said he expected the cost to be a few thousand Hong Kong dollars only.

Lai called on WhatsApp to roll out stricter verification processes for accounts and implement stronger encryption protocols to protect its users, while urging Google to tighten its screening process to weed out fraudulent adverts.

2