Week 32: WhatsApp hacking via voicemail

15.08.2023 - Cybercriminals are still targeting WhatsApp accounts. Attackers are pulling out all the stops to obtain the PIN code for resetting an account and they particularly appreciate having the code read out over the phone. If this is done at night, the code usually ends up being sent to voicemail, which is then hacked to obtain the information. The NCSC is currently receiving a lot of reports of hacked WhatsApp accounts.

Two years ago, the NCSC already reported on the possibility of WhatsApp accounts being taken over through a hacked voicemail account, see Week 30 in review. The NCSC is again receiving an increasing number of reports of this kind.

The victims all report that many different calls were received overnight, and that access to WhatsApp was then blocked. Their friends report strange profile pictures on the hacked account, and unknown numbers appear in group chats. WhatsApp also reports that the account owner has violated the terms of use. The hackers also set up two-factor authentication to prevent the account from being "recaptured" by the actual owner.

Once hacked, the existing groups are also taken over (outlined in red). This is done by adding foreign numbers to the group chat.
Once hacked, the existing groups are also taken over (outlined in red). This is done by adding foreign numbers to the group chat.

NCSC's own tests showed how the hackers proceeded. In a first step, the hacker passed off the number to be attacked as his own on his WhatsApp. A code was then sent to the email address stored on the account to check its authenticity. If this method does not work, it is possible to be called and have the code read out. This is also done if the call goes to voicemail. Many voicemail accounts still have a password that has not been changed since it was set up. This means that the default password, e.g. the last four digits of the telephone number, is still valid. Hackers take advantage of this and use it to access the message with the saved password reset.

VSuspicious calls in the middle of the night. The probability is high that no one will answer the call and the codes will end up on voicemail. The phone numbers used are mostly spoofed (fake).
Suspicious calls in the middle of the night. The probability is high that no one will answer the call and the codes will end up on voicemail. The phone numbers used are mostly spoofed (fake).

After the hackers have taken over the WhatsApp account, they immediately activate two-factor authentication to prevent the victim from easily recovering their account. Afterwards, the hackers often try to attack accounts from the friends list as well.

  • Change all default passwords as quickly as possible. Do not choose trivial combinations that are easy to guess.
  • Use two-factor authentication whenever possible. This is sometimes called two-step verification. You can find more information on the S-U-P-E-R campaign website:
    https://www.ncsc.admin.ch/ncsc/en/home/aktuell/im-fokus/2023/ks-zugang-sichern.html
  • If you receive suspicious messages from your telephone provider, you should report the incident to them as soon as possible.
  • As a general rule, PIN codes should be treated in the same way as passwords. Under no circumstances should such information be passed on to third parties or entered on insecure websites.

Last modification 15.08.2023

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2023/wochenrueckblick_32.html