WhatsApp account theft: do not enter this code!

This is a real problem around WhatsApp discovered by Rahul Sasi, leader of the company CloudSEK and made public by our colleagues from Bleeping Computer. Even if it cannot be attributed to WhatsApp, this technique risks claiming many victims. Manipulation involves tricking a WhatsApp user into dialing a special number to forward a call to another device. These numbers, called MMI codes, begin with * or # and their operation varies from one country to another and even from one operator to another.

As simple as a phone call

In the worst case, the victim, by dialing this code, will transfer all of his calls to the hacker’s phone. Once the call transfer is completed, the villain will simply steal the WhatsApp account by receiving the authentication code to become the new owner. And since it is not possible to have a WhatsApp account on two different devices, the application will disappear from the victim’s smartphone. The goal is of course for the pirate to pretend to be you, to have access to all your contacts to repeat the same manipulation or set up a scam (“Hi Patrick, it’s Jean-Paul, I’m having trouble with my WhatsApp, you don’t want to dial this number on your phone, I’ll explain later” Where “Hi Patrick, I’m stuck in Kosovo, you can send me a PayPal transfer, I’ll pay you back when I get back”). Nothing too hard to put in place, even by the most idiotic of criminals. However, it will take many attempts for a robber to succeed since, as mentioned above, these MMI codes work in different ways. For example, they can forward calls only when the original device is busy, for example. The hacker will therefore have to call the victim while recovering the WhatsApp authentication code on another device. Not obvious gymnastics, but far from being insurmountable.

Hackers steal WhatsApp accounts using call forwarding trick – @Ionut_Ilascuhttps://t.co/WhS3qDlq21

— BleepingComputer (@BleepingComputer) May 31, 2022

With a bit of social-engineering…

As Bleeping Computer explains, during the theft, messages are frequently sent to the victim to warn them that their account is being registered on another device. But beware, here again, the hacker can thwart the victim’s mistrust by using a small dose of social engineering: “You will receive messages, but don’t worry, it’s nothing”, “My WhatsApp is really screwing up, you’re going to receive weird messages”, etc. We can also imagine that the hacker continues to call the victim during the operation so that they avoid looking at their notifications.

In short, even if you know the person, never type a code on your device even for a matter of life or death. At worst, make a video call…