An attacker can use a trick to gain access to a victim’s WhatsApp account and personal messages as well as contact list.
The method relies on mobile carriers’ automated call forwarding services and WhatsApp’s option to send a one-time password (OTP) verification code via voice call.
The MMI code ruse
Rahul Sasi, the founder and CEO of digital risk protection firm CloudSEK, shared some information about the method, claiming that it is used to hack WhatsApp accounts.
BleepingComputer tested the method and discovered that it works, albeit with some caveats that a skilled attacker could overcome.
It only takes a few minutes for an attacker to take over a victim’s WhatsApp account, but they must know the target’s phone number and be prepared to do some social engineering.
According to Sasi, an attacker must first persuade the victim to call a number that begins with a Man Machine Interface (MMI) code that the mobile carrier has set up to enable call forwarding.
Depending on the carrier, a different MMI code can route all calls to a terminal to a different number or just when the line is busy or no reception.
These codes begin with a star (*) or a hash (#).
They are easily accessible, and according to our research, all major mobile network operators support them.
“First, you receive a call from the attacker who will convince you to make a call to the following number **67* or *405*. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account” – Rahul Sasi
The researcher explains that the 10 digit number belongs to the attacker, and the MMI code in front of it instructs the mobile carrier to forward all calls when the victim’s line is busy to the phone number specified after it.
Once the victim has been duped into forwarding calls to their number, the attacker begins the WhatsApp registration process on their device, selecting the option to receive the OTP via voice call.
The attacker can then register the victim’s WhatsApp account on their device and enable two-factor authentication (2FA), preventing legitimate owners from regaining access.
Although the method appears to be simple, getting it to work takes a little more effort, as we discovered during testing.
First and foremost, the attacker must use an MMI code that forwards all calls regardless of the state of the victim device (unconditionally).
Call waiting, for example, may cause the hijack to fail if the MMI only forwards calls when a line is busy.
During testing, we discovered that the target device received text messages notifying it that WhatsApp was registered on another device.
Users may miss this warning if the attacker uses social engineering and engages the target in a phone call long enough to receive the WhatsApp OTP code over voice.
If the victim device already has call forwarding enabled, the attacker must use a different phone number than the one used for the redirection – a minor inconvenience that may necessitate additional social engineering.
The most obvious sign of suspicious activity for the target user occurs after the mobile operator activates call forwarding for their device, because activation comes with a warning overlayed on the screen that does not disappear until the user confirms it.
Despite this prominent warning, threat actors have a high chance of success because most users are unfamiliar with MMI codes or mobile phone settings that disable call forwarding.
Despite these challenges, malicious actors with good social engineering skills can devise a scenario that allows them to keep the victim on the phone until they receive the OTP code for registering the victim’s WhatsApp account on their device.
We tested this method using Verizon and Vodafone mobile services and concluded that an attacker with a plausible scenario is likely to hijack WhatsApp accounts.
According to public data, Sasi’s post refers to Airtel and Jio mobile carriers, each of which has more than 400 million customers as of December 2020.
It is as simple as turning on two-factor authentication protection in WhatsApp to protect against this type of attack.
By requiring a PIN whenever you register a phone with the messaging app, this feature prevents malicious actors from gaining control of the account.