Once again, a trivial WhatsApp hack has surfaced online that risks the security of users globally. An attacker can take over a target user’s WhatsApp account by enabling call forwarding for the victim’s account to the attacker number. Users must be wary of unsolicited calls, particularly those asking to call on odd number.
WhatsApp Hack Via Call Forwarding
According to Rahul Sasi, founder of the Indian cybersecurity firm CloudSEK, an attacker can exploit call forwarding to hack WhatsApp. Sharing the details in a LinkedIn post, Sasi explained that the hack utilized generic code that many telecom service providers use. Hence, this attack threatens users worldwide.
The attack begins when an attacker calls a target user and tricks the user into enabling call forwarding to the attacker’s number. Doing so requires the victim to dial a code. Since many users don’t know or remember such codes, they will follow the attacker’s instructions. In the scenario Sasi observed, the attackers tricked the victims into dialing *67*<10 digit number> or *405*<10 digit number>.
First, you receive a call from the attacker who will convince you to make a call to the following number **67*<10 digit number> or *405*<10 digit number>. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account.
Such call forwarding enables the attacker to receive OTPs. So, while keeping the victim engaged on the call, the attacker attempts to register the victim’s WhatsApp account and requests the OTP via call. Due to the original number being busy on the call, the OTP reaches the attacker’s number, allowing him to hijack the target WhatsApp account. By the time the attacker’s call ends, the victim would be logged out (and locked out) of WhatsApp.
Users Must Be Wary
According to Bleeping Computer, this attack isn’t as trivial as it seems. Instead, the attacker must overcome some caveats like ensuring that the “call waiting” service at the victim’s number doesn’t meddle with the attack. Likewise, since WhatsApp would send an SMS alert to the victim informing about new device registration, the attacker may also have to apply some social engineering to make the victim ignore the alert. Likewise, enabling call forwarding also sends a notification to the victim’s device.
However, an attacker can still succeed in this attack by keeping the victim engaged on the call for a longer time.
Users must remain very careful when receiving unsolicited phone calls. Also, users should never respond to any callers asking to dial some codes.