Criminals Are Now Hacking WhatsApp Accounts Using This Call Forwarding Trick


Confused woman with glasses holding smartphone because her whatsapp account was hacked via call forwarding

CloudSEK, a digital risk management company, has discovered a new WhatsApp vulnerability that cybercriminals can use to take control of an unwary user’s WhatsApp account.

The approach requires some social engineering skills, including calling the victim – and takes advantage of the fact that most average WhatsApp users are unfamiliar with MMI codes.

Within a few minutes of the process starting, your WhatsApp would be logged out, and the criminals would have total control of your account.

Rahul Sasi, CLOUDSEK CEO

The current hack is another reason why WhatsApp users must take security seriously.

How The Hack Works

According to Sasi, an attacker must first persuade the victim to dial a number that begins with a Man-Machine Interface (MMI) code that the cell carrier has set up to allow call forwarding. Depending on the carrier, a separate MMI code can route all calls from a terminal to a different phone or when the line is busy, or there is no coverage.

These codes begin with a hash (#) or star (*). The codes are easily accessible and are supported by many mobile network carriers.

First, you receive a phone call from the perpetrator, who will persuade you to dial **67* or *405* followed by a 10 digit number. Within minutes, your WhatsApp account will be locked out, and the attacker will have total access to your account.

The report indicates that the 10-digit number belongs to the attacker, and the MMI code in front of it instructs the mobile carrier to redirect all calls when the victim’s line is busy to the phone number that comes after it. Once the victim has been tricked into redirecting calls to their number, the attacker begins the WhatsApp registration procedure on their smartphone, selecting the option to receive the OTP by voice call.

They can then use that code to set up the target’s WhatsApp account on their smartphone. The victim may receive a WhatsApp alert notifying them that they have been signed in on another device, but this may be easily disregarded if the hacker calls and engages the victim in a conversation.

How Can You Avoid The WhatsApp Hack?

Turning on two-factor authentication (2FA) in WhatsApp is one simple way to ensure this never happens to you. This way, the hacker would require not just your number but also a security code, making the attack ineffective.

This article has tips on how to enable 2FA. If you can, download an authenticator app instead, and use that to receive your codes. That’s preferable.

Getting multifactor authentication is easy with this guide: 5 Easy Steps To Get Two-Factor Authentication & Why You Need It.

Josh Breaker

Josh is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits, and security defenses, as well as research and innovation in information security. I have also written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix.

Recent Posts