He explains that attackers can take advantage of two things: a user’s availability and how identity verification works on WhatsApp.

A user who is not available to respond to verification checks—whether they’re asleep, in-flight, or have simply set their smartphone to “do not disturb”—may be at risk of losing their WhatsApp account. All an attacker needs is their target’s phone number.


Here’s how it works. 

The attacker attempts to log in to a WhatsApp account. As part of the verification process, WhatsApp sends an SMS with a PIN to the phone number tied to the account.


The user is unavailable so doesn’t realise there is a suspicious login. The attacker then tells WhatsApp that the SMS didn’t arrive and asks for verification by phone call.


Since the account owner is still unavailable and cannot pick up the call, the call goes to the number’s voicemail. Knowing the target’s phone number, the attacker then attempts to access their voicemail by keying in the last four digits of the user’s mobile number, which is usually the default PIN code to access the user’s voicemail.


The attacker then has the WhatsApp verification code, and can use it to access the victim’s WhatsApp account. They can then set up their own 2FA (two-factor authentication) on it, leaving the actual owner locked out of their own account.


Once the account has been hijacked, the attacker could use it to hijack accounts of the user’s contacts, spread malware, or hold the account hostage until the owner pays up to get it back.


How to protect your own WhatsApp account

This isn’t a new tactic, and has been around for a while, but there are two pretty simple things you can do to avoid it happening to you.

1. Change the default PIN of your voicemail. If you have a standard carrier greeting is will be pretty easy for a hacker to work out what the standard pin is.

2. Change your message for a personalised one that does not hint who the carrier is.

3. Enable two-step verification on your WhatsApp account:

  • Open Settings.
  • Tap Account > Two-step verification > Enable.
  • Enter a six-digit PIN.
  • Enter an email address, or tap Skip if you don’t want to. WhatsApp says it recommends adding an email address so you can reset two-step verification if you need to.
  • Tap Next.
  • Confirm the details and tap Save or Done.


We don’t just report on threats—we can help remove them

Cybersecurity risks should never spread beyond a headline. HM Network are a Malwarebytes partner and can help you scan, identify, quarantine and remediate threats. If you need help please contact us.

Originally Posted:  by Malwarebytes Labs