Hackers could hijack your WhatsApp account using this devious call-forwarding trick

WhatsApp calls and messages could be accessed without you knowing

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Experts have uncovered a method for threat actors to hijack almost anyWhatsAppaccount, getting access to all the messages and the contact lists found in the app.

Rahul Sasi, founder and CEO of digital risk protection company CloudSEK, discovered that by using automated call forwarding that some mobile services offer, together with the option to send a one-time password (OTP) verification code via voice call, an attacker can take over almost anyWhatsAppaccount.

To successfully pull the attack off, the threat actor first needs to persuade the victim into calling a number that starts with a Man-Machine Interface (MMI) code. The number is usually set up by the mobile carrier, and is used to enable call forwarding.

Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.

Not as easy as it sounds

The number usually starts with either a star or hash symbol. As per the publication, these codes are easily found, and most of the major mobile network operators support them.

Calling this number forwards all future calls to the attacker-owned endpoint. After that, the process is relatively easy, as the attacker can initiate the WhatsApp registration process on their device, and receive the OTP via voice call.

Putting the idea to the test,BleepingComputerhas found that it generally works, although with a few caveats. First, the attacker needs to trick the victim into using an MMI code that forwards all calls, not just those that are made while the line is busy.

WhatsApp is making a big security change - here’s how it affects you>WhatsApp’s next update could make your status bar actually worth using>Future WhatsApp update will let you leave a group quietly

Then, they need to make sure the victim is busy for long enough to miss the text message informing them that their WhatsApp app is being registered on another device.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Also, if the victim already has call forwarding enabled, the attackers must use a different phone number, which is “a small inconvenience that might require more social engineering”.

The method works on Verizon and Vodafone, the publication confirmed.

Via:BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Sihoo Doro S100 ergonomic office chair review