Once a hacker is in, they gain access to their victims’ messages and contacts, which can be used to carry out more nefarious activities. Since most network service providers offer call-forwarding, the attack can be carried out in any part of the world.
Details of the WhatsApp Call-Forwarding Scam
WhatsApp is immensely popular around the globe, with approximately 2 billion monthly active users. Messaging apps like WhatsApp contain a treasure trove of personal and sensitive information, making them a regular target for cybercriminals. Rahul Sasi, founder and CEO of cybersecurity company CloudSEK, uncovered a new scam targeting users in India. In a post on his LinkedIn page, he provided details of how the attack is carried out. A target first receives a phone call from an attacker, who convinces them to make a call to a number starting with an MMI code. This is the carrier’s code to turn on call-forwarding. Once this is turned on, the hacker begins the WhatsApp registration process for the account registered with the victim’s mobile number. As a part of this, the attacker selects an option to receive the OTP via phone call. Since call-forwarding is now turned on, the OTP phone call goes to the cybercriminal’s device rather than the victim’s. Consequently, the attacker uses the OTP to log in to their target’s WhatsApp account. Furthermore, once they are in, the hackers turn on two-factor authentication to prevent the victim from regaining access to their account. The malicious actors can use the information on the WhatsApp account — private messages, photos, and full contact lists — to carry out other cybercrimes. This might include identity theft, extortion attempts, or even sextortion.
What is Social Engineering?
A crucial part of this scam is social engineering. These kinds of attacks involve gaining the trust of a victim in order to get access to sensitive information, like login credentials. In such attacks, the malicious actors usually engage in impersonation. They might pose as customer service representatives, members of a company’s IT staff, or a similarly trusted individual. These cybercrooks trick their targets into letting their guard down and sharing data that they might otherwise not. Most social engineering campaigns begin with phishing attacks. However, cybercriminals can also use a combination of tools and trickery in a campaign. For example, it was recently revealed that criminals impersonated law enforcement officials and gained access to user data from Apple and Meta. Here, the attackers used compromised email accounts to provide legitimacy to their campaign. Another recent high-profile social engineering scam targeted young Instagram users.
An Elaborate and Sophisticated Campaign
While Sasi mentioned that the scam was successful with popular Indian providers Airtel and Jio, he added that the attack would work in other parts of the world as well. Bleeping Computer conducted their own experiment with Verizon and Vodafone, confirming that the hack would also work on their networks. However, for the scam to succeed, it may not be enough for the attackers to rely solely on call-forwarding. Firstly, they must use an MMI code that forwards all calls, regardless of what state the mobile is in. Bleeping Computer also found that the target device receives a text message stating that WhatsApp is being set up on another device. Furthermore, to activate call-forwarding, the victim must confirm the action through an on-screen warning that cannot be skipped. Therefore, the attackers must use elaborate and sophisticated social engineering tactics to keep their victims on the call until they receive the voice OTP. Similarly, they must convince them to agree to the message and enable call-forwarding. If you found this story interesting, we recommend taking a look at our guide on WhatsApp fraud and other messaging scams to look out for.
