The Cyber Security Authority (CSA) has exposed a serious cybercrime scheme in which fraudsters are using WhatsApp Web to harvest banking credentials and one-time passwords (OTPs), including mobile money verification codes, from unsuspecting users in Ghana.
According to the CSA, the attack largely targets Windows computer users through malicious ZIP files circulated via WhatsApp and disguised as legitimate documents. The malware behind the scheme has been identified as Astaroth, a highly advanced information-stealing virus.
The Authority explained that attackers typically send ZIP files to victims under convincing pretences such as work-related documents, invoices, or shared files. Once the file is downloaded and extracted on a Windows device, the Astaroth malware installs itself quietly without alerting the user.
After installation, the malware covertly links to WhatsApp Web, gains access to the victim’s contact list, and automatically forwards similar malicious messages to all contacts, enabling the attack to spread rapidly without the user’s awareness.
In the background, the malware conducts extensive data-harvesting activities, including stealing banking login details, one-time passwords, browser cookies, and recording keystrokes. Criminals can then use the stolen data to gain unauthorised access to bank accounts, compromise mobile money wallets, and carry out fraudulent transactions.
The CSA has therefore urged the public to exercise extreme caution when opening files received through messaging platforms, even if they appear to come from trusted contacts.
Users are advised to avoid downloading or opening suspicious attachments, keep their devices updated with the latest security patches and antivirus software, and promptly report any unusual activity on their accounts.
Persons affected by the malware can contact the CSA for support through the following channels:
Email: report@csa.gov.gh
Call: 292
SMS: 292
WhatsApp: 0501603111
Mobile App: CSA Ghana
