The attack relies on mobile carriers' automated service to forward calls to different phone numbers, which is a service every major mobile carrier offers.

Unfortunately, it can be exploited by hackers by tricking users into forwarding their calls to a number that the hackers control. So when WhatsApp sends a one-time password (OTP) verification via voice call, the hackers wind up with the code.

Rahul Sasi is the CEO and founder of CloudSEK which is a digital risk protection company.

Sasi had this to say about the attack:

"First, you receive a call from the attacker who will convince you to make a call to the following number **67* or *405*. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account."

Once the hackers have tricked a user into forwarding their calls, they initiate the WhatsApp registration process on their device, naturally choosing the option to receive the OTP via voice call.

There are a few caveats here, and this methodology is by no means fool proof.  For example, the victim does get a text message stating that his/her WhatsApp account is being registered on another device.  When there's a lot going on that's easy to miss, but an observant user won't.

Also, if call forwarding has already been activated on the victim's device, then the attacker must use a different phone number than the one used for the redirection.  This usually won't stop a determined attacker, but it will take a bit more social engineering and moxie to pull off.

The bottom line is, if you're a WhatsApp user, someone may try this on you. So be on the alert for it.

Used with permission from Article Aggregator