WhatsApp accounts hijacked by attackers through social engineering methods

The National Cyber Security Incident Response Center CERT RO draws attention to a type of attack, which has begun to be reported as an incident by users in Romania. In many cases, attackers obtain a victim’s phone number through an already compromised WhatsApp account. How the attack works WhatsApp accounts are linked to users’ phone numbers. When logging in to an existing WhatsApp account, the application will automatically send the user a “one-time code”, via SMS, to verify the phone number. The attackers abuse this process, to try to take control of those WhatsApp accounts of the targeted users. The next step is to re-install the application on the attacker’s phone, which provides the victim’s phone number. She will receive a registration code via SMS, which is later requested by the attacker who plays the role of a friend, or even of the WhatsApp Support Team. Fake promotions for e-commerce platforms The attackers use hijacked WhatsApp accounts to distribute, to targeted users, messages containing false information about promotions for e-commerce platforms. Through these messages, the victims are tricked into sending the “promotional code” received on the phone, being in fact the registration code to WhatsApp. Access voicemail accounts with default passwords If a user has their phone turned off (usually at night), the attacker can repeatedly enter the wrong registration code on WhatsApp. Thus, the attacker will have the option to perform voice verification, in which WhatsApp will call the user’s phone and send the code read “aloud” in a message. Of course, the audio message will be forwarded to the victim’s voicemail, which can be easily accessed if the victim has not changed the default password.