An attacker can hijack a victim’s WhatsApp account and obtain access to personal messages and contacts via a technique.
The solution relies on the automated call forwarding service provided by mobile carriers, as well as WhatsApp’s option to deliver a one-time password (OTP) verification code through a voice call.
The MMI code deception
The strategy is used to hack WhatsApp accounts, according to Rahul Sasi, the founder and CEO of CloudSEK, a digital risk prevention company.
The strategy works, according to BleepingComputer, however there are several restrictions that an experienced attacker may overcome.
It just takes a few minutes for an attacker to take over a victim’s WhatsApp account, but they must first obtain the target’s phone number and be prepared to engage in some social engineering.
According to Sasi, an attacker must first persuade the victim to call a number that begins with a Man Machine Interface (MMI) code put up by the cell carrier to enable call forwarding.
A separate MMI code can send all calls to a terminal to a different number or merely when the line is busy or there is no reception, depending on the carrier.
A star (*) or a hash (#) sign precedes these codes. They’re easy to find, and according to our research, they’re supported by all major mobile network operators.
“First, you’ll get a call from the attacker, who will persuade you to dial **67* or *405*. Your WhatsApp account would be logged out in a matter of minutes, and the attackers would have complete access of your account.” Rahul Sasi (Rahul Sasi)
The 10-digit number belongs to the attacker, and the MMI code in front of it instructs the mobile carrier to redirect all calls to the phone number supplied after it if the victim’s line is busy, according to the study.
The attacker begins the WhatsApp registration procedure on the victim’s device after duping them into forwarding calls to their number. They select the option to get the OTP via voice call.
After obtaining the OTP code, the attacker can use their device to register the victim’s WhatsApp account and implement two-factor authentication (2FA), which prevents legitimate owners from regaining access.
Although the method appears straightforward, it takes a little more effort to get it to function, as BleepingComputer discovered during testing.
First and foremost, the attacker must utilize an MMI code that sends all calls regardless of the state of the target device (unconditionally). Call waiting may cause the hijack to fail if the MMI only sends calls when a line is busy.
During testing, BleepingComputer discovered that the target device was also receiving text messages indicating that WhatsApp was being used on another smartphone.
If the attacker uses social engineering and engages the target in a phone call just long enough to receive the WhatsApp OTP code by voice, users may miss the warning.
If call forwarding is already enabled on the victim’s device, the attacker will need to dial a different phone number than the one used for the redirection – a minor annoyance that may necessitate further social engineering.
Because activation comes with a warning overplayed on the screen that doesn’t go away until the user acknowledges it, the most obvious clue of suspicious activity for the target user is after the mobile carriers turn on call forwarding for their device.
Threat actors have a decent chance of succeeding even with this prominent warning because most users are unaware of the MMI codes or the mobile phone settings that prohibit call forwarding.
Despite these barriers, bad actors with good social engineering skills can concoct a situation to keep the victim occupied on the phone until they receive the OTP code for registering the victim’s WhatsApp account on their device.
BleepingComputer tested this method with Verizon and Vodafone cell connections and found that an attacker with a believable scenario is likely to hijack WhatsApp accounts.
According to public data, Sasi’s post refers to Airtel and Jio, two mobile operators with around 400 million consumers as of December 2020.
It’s as simple as turning on WhatsApp’s two-factor authentication protection to protect yourself from this type of assault. By demanding a PIN every time you register a phone with the messaging app, this feature prevents bad actors from gaining control of the account.
