In a short post on LinkedIn  Rahul Sasi, founder and CEO of CloudSEK, explains how WhatsApp account takeovers are possible.

The methods consists of several steps and it takes some social engineering skills, but it’s good to be aware of the possibility and how it works. It starts with the threat actor reaching out to a victim and convincing them to call a specific number.

Call forwarding

The number the threat actor will try to convince you to call is not always the same, but most of the times it will look like this **67*<10 digit number> or *405*<10 digit number>.

Both numbers trigger call forwarding, which redirects a telephone call to another number. It is available on most, if not of all, phone carrier’s systems and supported by most modern phones.

**67*<10 digit number> forwards all your calls to the 10 digit number.

*405*<10 digit number>  forwards calls, if your number is busy, to the 10 digit number.

The numbers between asterisks are not the same for every phone carrier, but according to Sasi, these two are likely to render the best success rates. The 10-digit number is always a phone number controlled by the attacker.

WhatsApp

While you are calling one of the numbers, the threat actor triggers the WhatsApp registration process for your phone number and chooses the option to send a One Time Password (OTP) via phone call.

To protect your account, WhatsApp will send you a push notification when someone tries to register a WhatsApp account with your phone number. If an attacker is trying to take over your account, they need the verification code sent to your phone number to do so. Without this code, any user attempting to verify your number can’t complete the verification process and use your phone number on WhatsApp.

But since your number is busy, either of the call methods mentioned earlier will forward the OTP to the threat actor, who receives the OTP code they need to take over your WhatsApp account, unless you have enabled two-step verification. Once the threat actor has taken over your account they will undoubtedly enable this to make it harder for you to take back control.

Mitigation

It is worth saying that you should be wary of strangers asking you to call strange numbers. Remember that no matter what the technicalities are, scammers almost always want you to act hastily, so take your time in the face of strange and unexpected requests.

You may also want to look up the call forwarding methods that your phone carrier uses, so you can recognize attempts of this kind.

To secure your WhatsApp account with Two-step verification, follow these steps:

  1. Open WhatsApp settings
  2. Tap Account > Two-step verification > Enable
  3. Enter a 6 digit PIN and confirm.
  4. Provide an email address in case you ever need to reset the PIN.
  5. Tap next. Confirm email.
  6. Tap save or done.

To help you remember your PIN, WhatsApp will prompt you to periodically enter it. Unfortunately, there isn’t an option to disable this without disabling the two-step verification feature.

Remember this can happen to your friends and family too. WhatsApp fraud already is booming and if the threat actor actually controls the WhatsApp account of someone you trust, their success rate will be even bigger.

Aftermath

WhatsApp is end-to-end encrypted and messages are stored on your device, so someone accessing your account on another device can’t read your past conversations.

But it is prudent, if you suspect someone else is using your WhatsApp account, to notify family and friends as this threat actor could impersonate you in chats and groups as they try to monetize their access.

If you lose access to your WhatsApp account or suspect someone else is using your account, refer to the WhatsApp FAQ article Stolen accounts.

Stay safe, everyone!