Experts warn of a new ongoing WhatsApp OTP scam that could allow attackers to hijack a victim’s WhatsApp account through phone calls and gain access to personal messages and contact list.
The method relies on the mobile carriers’ automated service to forward calls to a different phone number, and WhatsApp’s option to send a one-time password (OTP) verification code via voice call.
Founder and CEO of digital risk protection company CloudSEK, Rahul Sasi has warned about the scam.
In this fraudulent scheme the threat actors make a phone call to the victims to trick them into making a call at a phone number. Sasi explained that after a few minutes their WhatsApp account is logged out and attackers are able to take over them.
The number dialed by the victims is a service request for Jio and Airtel to do Call Forwarding when a mobile user is busy. Using this scheme, the attacker tricks the victims into enabling the call forwarding to a number under their control. Then the threat actors start the WhatsApp registration process for the victim’s number asking to send the OPT via phone call.
Since the phone is busy, the phone call is directed to the attacker’s phone, allowing him to gain control of the victim’s WhatsApp account.
Now, this fraudulent scheme is targeting only WhatsApp users in India, but experts warn that this kind of attack could be observed in almost any country where a similar forwarding service is available.
Protecting against this type of attack is by just turning on two-factor authentication protection in WhatsApp. This feature prevents threat actors from getting control of the account by requiring a PIN whenever you register a phone with the messaging app.