A nation-wide WhatsApp account hijacking outbreak targets Israeli users

• The new attack method hijacks WhatsApp accounts using the service providers’ voicemail feature.
• The attacker can prevent a legitimate user from regaining control over his WhatsApp account.

The Israeli government has reportedly sent out a nation-wide security alert, warning about Whatsapp accounts being hijacked by attackers using a new method. The new attack method hijacks WhatsApp accounts using the service providers’ voicemail feature.

“We have received several reports of private accounts being hacked,” the Prime Minister's Office said in a statement, according to local reports.

The new attack method was first documented last year by Ran Bar-Zik, an Israeli web developer at Oath, ZDNet reported. Any user who with an active voicemail account linked to their phone number is reportedly at risk. Users are recommended to change their default passwords - which is typically 0000 or 1234.

Modus operandi

The account takeover beings with an attacker attempting to add a legitimate user’s phone number to a new WhatsApp installation on his phone. WhatsApp sends a one-time code via SMS to the victim’s phone. Although this alerts the legitimate user, according to Bar-Zik, the attacker could easily continue with the intrusion by conducting the attack at night, when the victim is asleep and away from his/her phone.

This can also ensure that multiple SMS validation attempts fail, which, in turn, would prompt WhatsApp to initiate a “voice verification”. The victim then receives a call which recites the one-time verification code.

However, if the victim fails to answer the call, the voicemail gets saved in the user’s voicemail box. The attacker can access the victim’s voicemail account by entering in the default password and obtain the one-time code sent by WhatsApp. Thus ends a successful WhatsApp account hijacking attack.

Once the attacker gains access to the victim’s WhatsApp account, he can then replace the two-factor authentication with a six-digit number, only the attacker knows. This effectively prevents the legitimate user from regaining control of his/her WhatsApp account.

Security researcher Martin Vigo demonstrated the hijack in a video, at DEF CON 26. The method in his demonstration showed how attackers could use the same technique to hijack Facebook, Google, Twitter, WordPress, eBay or PayPal accounts. Vigo also created a separate tool to automate this attack, called Ransombile.

“It is a VERY known issue and I don't think it is related to Facebook but to the weak security of the phone company's answering machine,” Bar-Zik also told ZDNet.

Israeli authorities recommended that users protect themselves by using strong and unique passwords for voicemail accounts and enable two-factor authentication. Security researchers also believe that given how the new attack technique does not require any technical skills or equipment, it could be easily used by even low-level or amateur cybercriminals to carry hijack WhatsApp accounts.