Privacy News Attackers Use Voicemail Hack to Steal WhatsApp Accounts

upnorth

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Content source
https://nakedsecurity.sophos.com/2018/10/08/attackers-use-voicemail-hack-to-steal-whatsapp-accounts/
Another online account hijacking attack has emerged, this time targeting WhatsApp. The Israeli agency responsible for cybersecurity has warned its citizens about the attack, which can often be conducted without any knowledge or interaction on their part. All the attacker needs is the victim’s phone number.

First documented by security researchers last year, the security flaw has now hit the mainstream. Last week, ZDNet reported that the Israeli National Cybersecurity Authority issued an alert warning that WhatsApp users could lose control of their accounts. The hack capitalises on users’ tendency not to change default access credentials on cellphone voicemail numbers. The attacker makes a request to register the victim’s telephone number to the WhatsApp application on their own phone. By default, WhatsApp sends a six-digit verification code in an SMS text message to the victim’s phone number, to verify that the person making the request owns it. Ideally, the victim would see the message, alerting them that something was up. The attacker avoids that by launching the attack at a time when the victim would not answer their phone, such as in the middle of the night, or while they are on a flight. Many users may even have their phones set to ‘do not disturb’ during this time. The attacker doesn’t have access to the victim’s phone, and so cannot see the code to enter it. WhatsApp then offers to call the victim’s number with an automated phone message reading out the code. Because the victim is not accepting calls, the automated message is left as a voicemail. The attacker then exploits a security flaw on many carrier networks, which provide generic telephone numbers that users can call to access voicemail. The only credential required to hear the voicemail is a four-digit PIN, and many carriers set this by default to something simple like 0000 or 1234. These default passwords are easily discovered online. When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account.

To seal the deal, the attacker can then enable two-step verification, which is an optional feature that WhatsApp has been offering since 2017. This requires the user to set a custom PIN, which they must then re-enter if they wish to reverify their phone number. Turning on this feature prevents the victim from regaining control over their own phone number.
Click to expand...
 
  • Like
Reactions: In2an3_PpG, CyberTech, shmu26 and 10 others
E

Eddie Morra

BryanB said:
I'm not a WhatsApp user but I wonder what the attacker would gain or is it more of a prank?
Click to expand...
The attacker would basically gain access to your WhatsApp account if the attack is carried out successfully. They'd have the same access you would have on your own account.

Why am I not surprised though? Google and Facebook are nothing but trouble these days.
 
  • Like
Reactions: bribon77, Weebarra, ChemicalB and 2 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
BryanB said:
I'm not a WhatsApp user but I wonder what the attacker would gain or is it more of a prank?
Click to expand...
If you are a high-value target, then people want to hack you, and you should worry about this. If you are an anonymous nobody, then the hackers won't waste their time on you, and you should not worry about this.
 
  • Like
Reactions: vtqhtr413, Weebarra, Eddie Morra and 1 other person
silversurfer

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,174
  • Like
Reactions: upnorth, Weebarra, bribon77 and 4 others
E

Eddie Morra

I don't like Facebook but I think if there are changes in leadership, they can change and turn over a new leaf. People really do change and so can companies but it all depends on leadership/influence.

Facebook need to look at the bigger picture.

It doesn't have to always be about money... it can be about improving things for the greater good, finding out new things which will benefit all of us in the world, etc. With the resources they have, they can do some great things if they put their mind to it, without it harming other people for their own gain.
 
  • Like
Reactions: upnorth, Weebarra and silversurfer
You must log in or register to reply here.

Similar threads

MH86
    • Like
Hackers steal WhatsApp accounts using call forwarding trick
Replies
0
Views
524
News Archive
MH86
MH86
CyberTech
    • Like
WhatsApp launches password-protected folder to hide confidential chats
Replies
0
Views
555
News Archive
CyberTech
CyberTech
H
    • Wow
    • Sad
    • +Reputation
Victim scans QR code, loses $20k to bubble tea survey scam while she was sleeping
Replies
2
Views
2,270
News Archive
billink
billink

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top