Another way to steal Whatsapp

Someone else's Whatsapp account is a tidbit. Attackers do not stand still and come up with more and more ways to hijack/capture other people's accounts. Let's break down the recent mass attack on Indian users of the service, for this also applies to any other country.

So, from the script in the link.

Scene 1.

The attacker persuades the victim to call the

**67*<10-digit-number>

or

*405*<10-digit-number>

where <10-digit-number> is the number under the attacker's control.

Scene 2 (in parallel)

Attacker requests whatsapp registration with a call, and catches the forwarded voice code to his <10-digit-number>, logs into his account, after which we are trivially thrown out of the account.

Comments

Pretty simple scheme, but there are a couple of inaccuracies:

1. **67*<10-digit-number> is an incomplete command, because any ussd-command must be closed at the end, in this case with a # grid, to get the following: **67*<10ти-значный-номер>#
2. **67* is not a redirection of all calls, as indicated in the link, but only when it is busy, so the victim must either flood (ie, call without stopping) at this point, so that it does become busy, or much easier - immediately feed the victim a valid command to redirect absolutely all calls: **21*<10-digit-number> #
3. *405* is a command of some Indian cellular operator, hence it is irrelevant to any other operator in the world.
4. Accordingly, your operator can have some other commands, which does not cancel the general scheme:

**<some digits>*<10-digit-number> #

Treatment

Well, first of all, it's never a good idea to call someone else's number. It's a scam 99% of the time, and the remaining 1% of the time the problem can probably be solved in another way. Social engineering attacks are always designed to be rushed: "quick/urgent/life-and-death". Just give yourself a couple of minutes to think about it, and we will probably end up laughing at the absurdity of such a request/request.

Second, it makes sense to enable 2-factor authentication wherever it can be enabled (not just in whatsapp). This may sound like agitation (similar to complex passwords), but in practice it really is a very effective way to protect your accounts.