WhatsApp Accounts Can Be Hacked Using Voicemail. Change Your Password to Protect Yourself

WhatsApp Voicemail Account Hijacking

In the 1990's and the 2000's, voicemail, the technology that replaced the answering machine, was very popular. As with so many things from that period, it isn't anymore, and it's not difficult to see what contributed to its near demise. The smartphone and the numerous instant messaging applications like WhatsApp provided a new way of communication which completely eliminated the need for voicemail. Although nobody seems to be using it, however, voicemail is still around, and in an extremely ironic turn of events, it is now actively used to compromise WhatsApp accounts.

The attack targets Israeli users and appears to be ongoing. Apparently, it's substantial. Even the Israeli Computer Emergency Response Team (CERT) issued a warning, according to which they have received numerous reports of hijacked WhatsApp accounts with the help of the victims' voicemail service. Apparently, there's no shortage of affected people, which, in a normal world, would be rather strange because the attack was first demonstrated more than a year ago.

Hijacking WhatsApp accounts with no technical knowledge or specialist equipment

The attack was first described by Ran Bar-Zik back in September 2017, but it would appear that not many people have paid enough attention to the threat it poses. It must be said that quite a few stars must align for it to be successful, but despite this, pulling it off requires nothing more than a mobile phone, some determination, and a bit of luck.

The first thing that hackers need to do is check whether their victim uses voicemail. Conveniently for the people compromising WhatsApp accounts, this can be done remotely in Israel. They just dial *151 and enter the victim's phone number and voicemail passcode. "How do they know the victim's passcode?", we hear you ask. Well, this is what makes the whole attack possible.

Israeli users, like people from the rest of the world, rarely use voicemail nowadays, and very few bother to change the default passcode that's assigned by the mobile service provider. As a result, if the crooks try "0000" or "1234", they are extremely likely to confirm the state of the victim's voicemail service. If it's active, hijacking is possible.

The attacker then tries to connect the victim's WhatsApp account to their own device. As a security precaution, WhatsApp sends a six-digit code via SMS to the victim's phone number, and normally, this would set off some alarm bells. The idea is, however, that if the attack is carried out in the middle of the night, the victim is likely to be asleep and to miss the text message.

The problem, from the attacker's perspective, is that since it's sent as an SMS, they can't get to the six-digit code. Luckily for them, and unfortunately for the victim, WhatsApp has a backup Call Me option in case the SMS doesn't work. When chosen, an automated system calls the account owner's phone number, and when the call is received, it plays a voice recording of the six-digit code. Again, the success of the attack relies on the victim not picking up their phone and the call going through to voicemail.

You can probably guess what happens next. The attacker calls *151, enters the victim's phone number and the default passcode, listens to the voicemail message, and logs in to the victim's WhatsApp account. Once inside, the crooks can get to the victim's messages and contacts, and to lock the account owner out, they can enable two-factor authentication.

What can you do to protect yourself?

Last year, when Ran Bar-Zik first reported the problem, telecommunication service providers had the chance to rethink their strategy of enabling rarely-used services and using poor default passwords to protect them. They didn't take that chance, and there's no telling if they'll take this one. Whatever the case, it would appear that it's up to you to keep yourself safe.

The attack described above shows that if you don't use a particular service, you should turn it off. Of course, if you do need voicemail, keep it enabled, but be sure to change the default passcode. And in case you needed any more encouragement, the attack in Israel is just another reason why you should turn on Two-factor authentication for your WhatsApp account.

By Duran
October 5, 2018
News
English
October 5, 2018
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Password Security

How Instagram Accounts Get Hacked and How to Protect Yourself

Whether you're an Instagram personality or just a regular person using the platform to document snippets of your life, your account's security comes first. Just last month, Forbes noted that multiple Instagram users... Read more

May 16, 2018
How To

How To Change Your Password On Snapchat To Protect Your Privacy?

Forgot your Snapchat password? No biggie, there are several ways you can reset it. The easiest and fasted method is if you have a verified phone number or email address linked to your Snapchat account. Then you can... Read more

April 30, 2018
Tips

What Does Your Online Profile Reveal About You and How to Protect It Yourself?

A lot of people seem willing to argue that, largely thanks to social media, the concept of privacy is now well and truly dead. Some of these people share their views on their Facebook and Twitter profiles right... Read more

May 14, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.