How an attacker can compromise your WhatsApp within a minute
I was going through some online fraud and found recently that someone got pretending from mobile provider customer care regarding mobile network issue. But it was an attacker who made the victim believe and typed what the attacker instructed. Then what? Within 15 minutes, she observed that her WhatsApp was asking password and she cannot log in anymore. And her friends, even her sister got a WhatsApp message that she(the victim) needed money urgently, and guess what?
It’s even an easy attack. Do you know how?
The attacker can lure you through mail or message (even on WhatsApp too!), that amazon or reliance is celebrating its 25th anniversary and 10 people can get iPhone new model on a lucky draw coupon.
It can be many like such scams. Another example is a free ticket to France or candle night dinner at Taj or Barbeque Nation for free đŸ˜›
What an unaware people would do?
Oh wow! Why leave the chance of getting a new iPhone. That too free free free ;). And a victim will fill out the form with their name, phone number, and email id mostly. Here the problem lies. Fraud will start from here in various ways. It can be different phone calls like loan department, real estate, insurance, and whatnot. The worst thing can be when your account gets hacked! Yes, that’s possible. I will show you how one can use someone’s else WhatsApp number easily
How WhatsApp got compromised and how the attacker was able to lend money from the victim’s close contacts
- Attacker: Called on victim’s number and impersonated an airtel customer care executive
- Victim: picked up the call and got convinced that it was a legit call for fixing a mobile network issue on her phone
- Attacker: Mam, this will need you to type on your number to confirm if it’s you. Can you please type *401* and then a 10-digit number (attacker’s number) i.e. *401*5559995599 and press dial?
- Victim: unknowingly did what an attacker instructed!
- Attacker: Thank you for your time mam. It will be fixed in 15 minutes and you will get the call from our executive again.
You must be wondering, what is this *401*? Well, it is a number for unconditional call forwarding to the number that you type after that. So, now the victim’s every call would be forwarded to the attacker’s number i.e. 5559995599.
The attacker then installed WhatsApp with the victim’s number. WhatsApp sent a verification code on the victim’s mobile. But the attacker waited for a minute and click on try call. Now this time, the call was forwarded to the attacker’s number and he easily inserted 6 digit verification code, now the victim’s WhatsApp account is literally the attacker’s!
What Happened Next!
Within 5 minutes, the attacker started sending messages to the victim’s random contacts on Whatsapp with an urgency to help financially with just 2-5k on another number and making a false promise that I (victim) will return within 2 days.
Many people actually fell prey to this WhatsApp fraud and sent money to the attacker’s number. Luckily, some close contacts called on her alternative number to ask what happened, and why are you asking for money suddenly. Then victim became aware of this hack and reported it to Cybersecurity.
How to test call forwarding and WhatsApp hack (Only for Educational Purpose)
I convinced my spouse to dial *401*<my-mobile-number> (To disable call forwarding, please dial *402)
Now I will get her every call without even her notice. You can check the status of a forwarded call by typing *#21#
Then, I went to my WhatsApp setting and clicked on change number
I added my number there as the old number and my spouse’s number as the new number
It sent a verification code SMS to her number which I didn’t have access to. Luckily, she didn’t notice. So, I waited for a minute and clicked on “Call Me in” to get the verification code.
I got a call within a few seconds and got a verification code (if the password/PIN is not set!)
That’s it. Her Whatsapp account is now mine!
What to learn from this incident
- You must use 2FA whenever and wherever possible. Otherwise, it’s not just WhatsApp, your FB, Insta or even your Gmail can be compromised. It saved me from hacking my wife’s WhatsApp ( Try at your own risk hehehehe)
- You should have a backup mail id set up in case you need it for forgetting a password or just verification.
- In case of any suspicious call, don’t entertain it at first and if it repeats; contact the cybersecurity department. Please try to understand that nothing is free and come out of the free lottery, lucky draw, etc. advertisements anywhere.
- Be a good netizen and don’t forward emails, documents, or messages without proper validation to reduce their effect.
- If someone asks you to type or call for which you are not sure, check with the authority (their customer care or website) before acting. Never share passwords or critical information over the phone.
- Reference: https://awarepal.com/question/call-forwarding-scam/
- Image Source: flaticon.com