The season of accounts hijacking is upon us and this time it is not about facebook profiles rather attackers have set their eyes upon your beloved WhatsApp Account.
So prevalent is this case of WhatsApp hijacking that the Isreali National Cyber Security Authority had to issue a warning.
How Does This Hack Work?
Naturally, users do not change default access credentials to their cell phone’s voice mail numbers and the attackers will be banking on this to get access to their WhatsApp profile.
The attackers make a request to register the victim’s telephone numbers to the WhatsApp application on their phone. This prompts WhatsApp by default to send a verification message to the victim’s phone.
Normally, the victim will see the message and be alerted that someone is trying to take over his/her account but the attackers know this too.
The attackers avoids this by launching the attack in the middle of the night when they know the victim is asleep and won’t be bothered to take check their phone. Most times, people ususally put their phones in flight mode or turn on “do not disturb” at this time.
Since the attackers do not have physical access to the phones and won’t see the message enter, the choose the call option so that WhatsApp will call the victim with an automated phone message reading out the code
Since the victim is not accepting calls, the message is left in the voicemail. The attackers then access the victim’s mailbox since most network carriers only provide a generic telephone number for users to call to retrieve messages.
The attackers enters the default voicemail password which the victim did not change, get access to the WhatsApp verification code message, enter it in their devices and complete the transfer of accounts from the victims’ devices to their attackers devices. The whole procedure wouldn’t take more than 5 minutes
To complete the hijacking immediately after gaining access to the account, the attackers turn on two step verification, an optional feature in WhatsApp. This requires the user to set a custom PIN which they must provide whenever they wish to reverify their phone number.
Turning this feature on prevents the victim from ever getting the account back.