Sophos warns of attackers using voicemail hack to steal WhatsApp accounts
KOTA KINABALU: Information technology (IT) company Sophos, warned the rise in cyber attackers using voicemail hack to steal WhatsApp accounts.
In a commentary, it noted that an Israeli agency responsible for cybersecurity has warned its citizens about the attack, which can often be conducted without any knowledge or interaction on their part. All the attacker needs is the victim’s phone number.
First documented by security researchers last year, it highlighted that the security flaw has now hit the mainstream. Last week, ZDNet reported that the Israeli National Cybersecurity Authority issued an alert warning that WhatsApp users could lose control of their accounts.
“The hack capitalises on users’ tendency not to change default access credentials on cellphone voicemail numbers. The attacker makes a request to register the victim’s telephone number to the WhatsApp application on their own phone.
“By default, WhatsApp sends a six-digit verification code in an SMS text message to the victim’s phone number, to verify that the person making the request owns it,” it said.
Ideally, it noted that the victim would see the message, alerting them that something was up.
It explaiend that the attacker avoids that by launching the attack at a time when the victim would not answer their phone, such as in the middle of the night, or while they are on a flight.
“Many users may even have their phones set to ‘do not disturb’ during this time,” it added.
“The attacker doesn’t have access to the victim’s phone, and so cannot see the code to enter it. WhatsApp then offers to call the victim’s number with an automated phone message reading out the code. Because the victim is not accepting calls, the automated message is left as a voicemail.
“The attacker then exploits a security flaw on many carrier networks, which provide generic telephone numbers that users can call to access voicemail.
“The only credential required to hear the voicemail is a four-digit PIN, and many carriers set this by default to something simple like 0000 or 1234. These default passwords are easily discovered online.
“When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account,” it explained.