An attacker can hijack a victim’s WhatsApp account and obtain access to personal messages and contacts via a trick. The technique depends on the automatic call forwarding service provided by cellular carriers and WhatsApp’s option to deliver a one-time password (OTP) verification code through voice call.
According to Rahul Sasi, the founder and CEO of CloudSEK, a digital risk prevention business, the strategy is used to hack WhatsApp accounts. When tested, it was discovered that the approach works, but with several drawbacks that a sufficiently experienced attacker may bypass. Hackers can take over a victim’s WhatsApp account in just a few minutes, but they must first obtain the target’s phone number and be prepared to engage in some social engineering.
Sasi states that an attacker must first persuade the victim to call a number that begins with a Man Machine Interface (MMI) code put up by the cell carrier to allow call forwarding. Depending on the mobile carrier, a separate MMI code can send all calls to a terminal to a different number or merely when the line is busy, or there isn’t any reception.
A star (*) or a hash (#) sign precedes these codes. They are easy to find, and according to their research, they’re supported by all major mobile network carriers. “First, you receive a call from the attacker who will convince you to make a call to the following number **67* or *405*. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account,” said Rahul Sasi.
According to the researcher, the 10-digit number corresponds to the attacker. The MMI code in front of it instructs the mobile carrier to redirect all calls to the phone number supplied after it if the victim’s line is busy. The attacker begins the WhatsApp registration procedure on the victim’s smartphone after duping them into forwarding calls to their number. They select the option to get the OTP via voice call. After obtaining the OTP code, the attacker can use their smartphone to register the victim’s WhatsApp account and implement two-factor authentication (2FA), preventing genuine owners from gaining back access.
During testing, it was discovered that while the procedure appears to be easy, getting it to work takes a bit more effort. First and foremost, the attacker must employ an MMI code that sends all calls regardless of the status of the target device (unconditionally). Call waiting may cause the hijack to fail if the MMI only sends calls when a line is busy.
While testing, it was observed that the target device was also receiving text messages telling it that WhatsApp was being used on another device. Users may miss the warning if the attacker uses social engineering and engages the victim in a phone conversation just long enough to get the WhatsApp OTP code by voice.
If call forwarding is already enabled on the victim’s device, the attacker will need to dial a different phone number than the one used for the redirection. This minor annoyance may require more social engineering. As activation comes with a warning overlayed on the screen that doesn’t go away until the user acknowledges it, the most obvious sign of suspicious behavior for the target user is when the mobile carriers switch on call forwarding for their device.
Threat actors have a decent chance of succeeding even with this prominent warning since most consumers are unaware of the MMI codes or the mobile phone settings that prohibit call forwarding. Despite these barriers, fraudsters with excellent social engineering skills can concoct a situation to keep the victim occupied on the phone until they receive the OTP code for registering the victim’s WhatsApp account on their device.
When this strategy was tried using Verizon and Vodafone cell networks, it was discovered that an attacker with a realistic scenario was more likely to hijack WhatsApp accounts. According to public data, Sasi’s post alludes to Airtel and Jio, two mobile operators with around 400 million consumers as of December 2020. It’s as simple as turning on WhatsApp’s two-factor authentication protection to protect oneself from this type of attack. By demanding a PIN every time users register a phone with the messaging app, this feature prevents bad actors from gaining control of the account.