1. Home
  2. Blog
  3. Hackers steal WhatsApp accounts using call forwarding trick

Hackers steal WhatsApp accounts using call forwarding trick

22 Jul
22Jul

An attacker can hijack the victim's WhatsApp account to gain access to their personal messages and contact lists.This method uses the automated service of mobile carriers to forward calls to another number. WhatsApp also has the option to send a one time password (OTP), verification code via voicecall.


The MMI code trick

Rahul Sasi (founder and CEO of CloudSEK digital risk protection company) posted details about the method, stating that it can be used to hack WhatsApp accounts.

Bleeping Computer tested the method and found it to work, though with some limitations that an attacker skilled enough could overcome.

The attacker can take control of the victim's WhatsApp account in a matter of minutes. However, they will need to have the target's number and be able to do some social engineering. Instead of trying this technique you can simply go to hackearwats.me  and hack anyone's WhatsApp very easily with no hurdle.

Sasi states that attackers must convince victims to call a number that begins with a Man Machine Interface code (MMI), which the mobile carrier has set up to allow call forwarding.

Depending on your carrier, you can have a different MMI number that forwards all calls to a terminal to another number. This is also possible if the line is busy or there are no reception. 

These codes begin with either a star symbol (*) or a hash symbol (#). These codes are easy to find and all major mobile networks support them, according to our research.

First, the attacker will call you and ask you to call the following number *67* or *405*. Your WhatsApp account would be locked out of the internet within a matter of minutes and taken over by the attackers" - Rahul Ssi

According to the researcher, the attacker's 10 digit number is owned by the attacker. The MMI code that appears before it tells the mobile operator to forward any calls to the number specified after it if the victim's phone line is busy.

After tricking the victim into forwarding calls, the attacker begins the WhatsApp registration process on the victim's device. The attacker chooses to receive the OTP via voicecall.

WhatsApp options for receiving one-time password, source: BleepingComputer

Once they have the OTP code, the attacker will be able to register the victim’s WhatsApp account and enable two-factor authentication (2FA) which blocks legitimate owners from regaining their access.

Some caveats

The method may seem simple but it is not easy to get working. BleepingComputer discovered this during their testing.

First, the attacker must ensure that the MMI code they use forwards all calls regardless of the victim's device's status (unconditionally). Call waiting could cause hijackers to lose their calls if the MMI forwards only busy lines.

BleepingComputer observed that the target device received text messages letting it know that WhatsApp was being registered on another device.

If the attacker uses social engineering to engage the target in a telephone call, users may not be able to see the warning.

BleepingComputer OTP from WhatsAppCall forwarding must be disabled on victim's device. The attacker must use another phone number to redirect the call. This is a minor inconvenience and may require additional social engineering.

The target user's most obvious clue is when the operator turns on call forwarding. This happens because activation comes with a warning that doesn’t disappear until the user confirms.

Mobile carriers warn users when call forwarding becomes active, source: BleepingComputer


Threat actors have a good chance even with this visible warning. This is because most users don't know the MMI codes and the settings on their mobile phones that disable call forwarding.

These obstacles are overcome by malicious actors who have good social engineering skills. They can create a scenario to keep the victim on the phone until they receive the OTP code to register the victim WhatsApp account.

BleepingComputer tested the method with mobile services from Verizon, Vodafone, and concluded that an attacker who has a plausible scenario would be able to hijack WhatsApp accounts.

Sasi's post is about Jio and Airtel mobile carriers. Each has more than 400m customers as of December 2020 according to public data.

Two-factor authentication protection is all you need to protect yourself from this type of attack. This feature protects your account from being taken over by malicious actors. It requires you to enter a PIN every time you register a new phone through the messaging app.

20May
HOW TO MAKE EXTRA MONEY
17Jun
7 BIG THINGS A START-UP MUST HAVE TO SUCCEED
26Aug
10 RULES TO BUILD A WILDLY SUCCESSFUL BUSINESS
Comments
* The email will not be published on the website.
I BUILT MY SITE FOR FREE USING