A new trick making use of call forwarding MMI codes and Whatsapp’s OTP over call feature can end up with you losing access to your Whatsapp account, letting an attacker gain access to your contacts and personal messages. The method was posted on LinkedIn by Rahul Sasi, founder and CEO of CloudSEK, an AI-powered digital risk monitoring platform.
The process starts with an attacker calling victims out of the blue and convincing them to call a phone number owned by the attacker with either **67* or *405* prefixes attached to the number. These are MMI codes for Airtel and Jio call forwarding, which forwards any calls to the number told to the victim by the attacker when the victim’s phone is busy.
While the attacker stalls the victim on a call, they register their number with Whatsapp on another device and get the OTP via a phone call. Since the victim’s phone is busy, the call gets forwarded to the attacker instead, who can easily log into the victim’s Whatsapp account, gaining immediate access to their personal messages.
Once the attacker gains access to the victim’s account, they can set up two-factor authentication and prevent the legitimate owner from getting their account back.
Depending on the carrier, different MMI codes can be used to set up call forwarding. Since most carriers around the world support this functionality, the trick can be used globally, albeit with a few shortcomings.
Carriers inform users when call forwarding has been set up on their numbers; however, it’s unlikely that the victim will see this prompt from the carrier, considering the attacker is stalking them on a phone call. Additionally, users may also miss this warning provided the effort put into social engineering by the attacker.
Another caveat reported by the BleepingComputer is that the attacker needs to make sure that the MMI code forwards all calls, regardless of the victim’s phone state. If the MMI code only forwards calls when the phone line is busy, call waiting can cause the process to stop dead in its tracks.
In the News: More than 3.6 million MySQL databases are exposed