Another online account hijacking attack has emerged, this time targeting WhatsApp. All the hacker needs for this attack to happen is the victim’s phone number.
The hack relays on users’ tendency not to change default access credentials on cellphone voicemail numbers. If they don’t change this codes the hackers can make a request to register the victim’s telephone number to the WhatsApp application on their own phone. Usually, WhatsApp sends a six-digit verification code in an SMS text message to the victim’s phone number, to verify that the person making the request owns it.
But the hackers avoid this inconvenient by launching the attack at a time when the victim would not answer their phone, such as in the middle of the night, or while they are on a flight.
More frustrating is the fact that the hacker doesn’t have to gain access to the victim’s phone. WhatsApp then offers a second option: to call the victim’s number with an automated phone message reading out the code. If or when the victim is out of service, the automated message is left as a voicemail.
The hacker then uses carrier networks generic telephone numbers that users can call to access voicemail. In most of the cases, the only protection for the voicemail is a four-digit PIN, and many carriers set this by default to something simple like 0000 or 1234.
Remember everything can be hacked. In order to stay away from any threats related to the cyber world, we recommend the install of antivirus for Windows or antivirus for Mac on every device that you own, depending on which OS your device is running. If you are a company, it is also recommended to hire every year a specialized cybersecurity company that will run annual tests on your company’s network. These tests include penetration testing and ethical hacking tests;
If the hacker access the victim’s voicemail, they can retrieve the WhatsApp code and then enter it into their own device.
If the hacker wants to make more damage, he can then enable two-step verification in order to prevent the victim from regaining control over their own phone number.
Several other online services are vulnerable to attacks like this. PayPal, Netflix, Instagram, and LinkedIn supported password reset by an automated phone call; Apple, Google, Microsoft, and Yahoo support the use of automated voicemails for two-factor authentication (2FA).
In order to stay safe and secure from this hack, you must:
– set a strong PIN for your voicemail inbox
– enable two-step verification on your WhatsApp account, by opening
WhatsApp and going to Settings > Account > Two-step verification > Enable.
We would continue to monitor this cybersecurity problem. Meanwhile, users should keep a keen eye out for any cyber attacks. Remember to use an antivirus for Windows or antivirus for Mac in every device that you own, depending on which OS your machine is running, If you are a company we recommend to hire every year a specialized cybersecurity company that will run annual tests on your company’s network, tests like this include: penetration testing and ethical hacking.