Contrary to general belief, cybercriminals do not always use innovative phishing techniques to steal our personal data. In many cases, the entry routes are much less sophisticated: voicemail is a good example of this. And this seems to have been the entry point for the account theft that affected, a year ago, 11 million WhatsApp users.
When we talk about cybercrime, it is common to relate it to advanced and innovative techniques with which access databases of big companies to get hold of our personal information. However, the reality is very different. Large criminal groups base their work on trying to find vulnerabilities and entry doors in sites that, for different reasons, have been neglected in terms of security in recent years. How can it be a simple voicemail.
On November 25, 2022, the sale of the data of 11 million users who actively use WhatsApp. However, until now it was unknown how the robbery was carried out. Now, it has been confirmed that it was through the mailboxing technique and the neglect of security by the main operators.
Voicemail to validate an account
When we have to verify our WhatsApp account, the application offers us two ways: SMS or phone call. The scammers used this second way to be able to access the verification code and then use the account normally. To do this, the criminals installed WhatsApp normally and registered with the number they wanted to access. Next, instead of requesting verification by SMS, they did it through a phone call, always taking into account carrying out such an action when the user would not be able to answer this call, such as during the night.
However, it is worth remembering that to access a voicemail from any operator it is necessary to have a password that allows access to the content. So how was it possible? In the following video we can find on YouTube We can get an idea of ​​what this process was like. Based force automated speech of the operator in question, it was possible to change the password and access all the content that was inside these messages. In this case, what was interesting was the WhatsApp verification code.
In some operators, it was not even necessary to enter any password if the call was made from the same mobile number. However, it was overlooked that change the caller ID It is relatively simple if you have the right knowledge.
WhatsApp has taken measures in this regard
Although this vulnerability has its origin in the security of the operators, WhatsApp has decided, following this leak, Add an intermediate step when we have to receive the verification code through voice call. In this way, we prevent the mailbox technique from being automated and the voicemail from recording the content of the call if the user does not answer it. From now on, WhatsApp it does not say the verification code if the user does not press a specific key that is shared in the call. In this way, if the voicemail goes off, the voiceover will not start and will hang up automatically. Minimizing the possibilities that this technique can continue to be used in the future.
