Hackers love targeting WhatsApp users with new scams everytime a vulnerability is exposed. With so many users on the messaging platform, it's a lucrative playground for cyber-criminals out to steal personal and financial information. And sometimes, it doesn't even take a software exploit to attack the application; simply having an unsuspecting person share a suspicious message can be enough. 

Setting up the scam

On a blog run by Sophos, a leading anti-virus software provider, information was published about a new hack that could attempt to gain access to your account. The tactic involves commandeering your voicemail inboxes on the application, which utilise weaker security measures than the encryption used for the text-based messenger service. The scam is deemed sufficiently risky that in one country, a national cyber security authority issued a warning to all residents within the country. 

To kick off the scam, hackers will try to install the WhatsApp application onto their own phone, but using a legitimate user's phone number as the registration number. All new registrations to the app require a legitimate, connected number to connect. The application will use a six-digit verification text, sent to the nominated number, in order to verify that they are indeed who they say they are. 

To avoid being intercepted, they'll target devices at times when the real user is unlikely to be monitoring their phone, such as at night. As a backup option, WhatsApp will offer the hacker the opportunity to use an automated phone call instead, and as the user is unlikely to answer out-of-hours, the call will go to voicemail. 

Hijacking your account

Once the voicemail has hit the legitimate user's voicemail inbox, the scammer is ready to pounce. Using a security flaw that's inherent to a wide number of telecommunication networks, cyber-criminals can attack the account. This relies on the typical process of calling a central voicemail number and using a four-digit PIN to access the inbox. As so many users do not change this PIN, which is normally 0000 or 1234 by default, hackers can often easily guess the correct PIN. 

Once the PIN is entered, and the hacker gains access to the voicemail inbox, then they can access the recording of the automated phone call. Since this contains the six-digit WhatsApp PIN, the hacker can verify their fake registration and gain access to the victim's full WhatsApp account. 

To make matters worse, if hackers are successful in gaining access to your account, then they could theoretically set up two-factor authentication. This would prevent you from being able to get back into your account once it had been taken over.


If you'd like any help in improving your security, such as setting up two-factor authentication on your WhatsApp account, then you can get in touch with WiseGuys for help and advice. Call us on 0808 123 2820 or drop into our walk-in centre in Christchurch or Bournemouth and we'll be happy to help.