Hackers could hijack your WhatsApp account using this devious call-forwarding trick

WhatsApp on iPhone
(Image credit: Pexels / Torsten Dettlaff)

Experts have uncovered a method for threat actors to hijack almost any WhatsApp account, getting access to all the messages and the contact lists found in the app.

Rahul Sasi, founder and CEO of digital risk protection company CloudSEK, discovered that by using automated call forwarding that some mobile services offer, together with the option to send a one-time password (OTP) verification code via voice call, an attacker can take over almost any WhatsApp account.

To successfully pull the attack off, the threat actor first needs to persuade the victim into calling a number that starts with a Man-Machine Interface (MMI) code. The number is usually set up by the mobile carrier, and is used to enable call forwarding.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

Not as easy as it sounds

The number usually starts with either a star or hash symbol. As per the publication, these codes are easily found, and most of the major mobile network operators support them.

Calling this number forwards all future calls to the attacker-owned endpoint. After that, the process is relatively easy, as the attacker can initiate the WhatsApp registration process on their device, and receive the OTP via voice call.

Putting the idea to the test, BleepingComputer has found that it generally works, although with a few caveats. First, the attacker needs to trick the victim into using an MMI code that forwards all calls, not just those that are made while the line is busy. 

Then, they need to make sure the victim is busy for long enough to miss the text message informing them that their WhatsApp app is being registered on another device.

Also, if the victim already has call forwarding enabled, the attackers must use a different phone number, which is “a small inconvenience that might require more social engineering”. 

The method works on Verizon and Vodafone, the publication confirmed.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.