Hackers exploit voicemail to hijack WhatsApp accounts in Israel

MANILA, Philippines – Israeli authorities have warned its citizens of a current hacking scheme aiming to hijack WhatsApp accounts by exploiting a voicemail vulnerability, said cybersecurity firm Sophos in a blog post.

While the scheme surfaced in Israel, other countries with similar systems may be prone to similar vulnerabilities. The scheme begins with hackers making a request to register a user’s phone number to a WhatsApp account on their own phone. WhatsApp, as most messaging apps do today, will send an SMS to the phone number that the hacker input. 

The trick that the hackers do is that they attempt the registration at odd hours when a person is most likely asleep or at any time when the person will not be able to likely see the code being sent by WhatsApp. If WhatsApp detects that the code isn’t being input, it offers to call the user for it to read aloud the code. If the target misses that call, the call goes to voicemail – that’s where the hacker can fish out the code, and eventually take over the account associated with the number they targeted.

To fish out the voicemail containing the WhatsApp code, the hacker calls a phone number on the carrier network where voicemails are stored, inputs the target’s phone number, and guesses the 4-number PIN. This is where the vulnerability lies. Most users in Israel, or any country where carriers provide mobile access to voicemails, don’t change the default PIN, which is usually 0000 or 1234, said cybersecurity firm Sophos. 

“When the attacker uses the default PIN to access the victim’s voicemail, they can hear the code and then enter it into their own device, completing the transfer of the victim’s phone number to their own WhatsApp account,” explained Sophos. 

The hacker then enables two-step verification, which locks out the WhatsApp account from the original owner. The hacker is then able to hold the account for ransom, or find things in the account that may be used for blackmail. – Rappler.com