15.08.2023 - Cybercriminals are still targeting WhatsApp accounts. Attackers are pulling out all the stops to obtain the PIN code for resetting an account and they particularly appreciate having the code read out over the phone. If this is done at night, the code usually ends up being sent to voicemail, which is then hacked to obtain the information. The NCSC is currently receiving a lot of reports of hacked WhatsApp accounts.
Two years ago, the NCSC already reported on the possibility of WhatsApp accounts being taken over through a hacked voicemail account, see Week 30 in review. The NCSC is again receiving an increasing number of reports of this kind.
NCSC's own tests showed how the hackers proceeded. In a first step, the hacker passed off the number to be attacked as his own on his WhatsApp. A code was then sent to the email address stored on the account to check its authenticity. If this method does not work, it is possible to be called and have the code read out. This is also done if the call goes to voicemail. Many voicemail accounts still have a password that has not been changed since it was set up. This means that the default password, e.g. the last four digits of the telephone number, is still valid. Hackers take advantage of this and use it to access the message with the saved password reset.
After the hackers have taken over the WhatsApp account, they immediately activate two-factor authentication to prevent the victim from easily recovering their account. Afterwards, the hackers often try to attack accounts from the friends list as well.
- Change all default passwords as quickly as possible. Do not choose trivial combinations that are easy to guess.
- Use two-factor authentication whenever possible. This is sometimes called two-step verification. You can find more information on the S-U-P-E-R campaign website:
- If you receive suspicious messages from your telephone provider, you should report the incident to them as soon as possible.
- As a general rule, PIN codes should be treated in the same way as passwords. Under no circumstances should such information be passed on to third parties or entered on insecure websites.
Last week's reports by category:
Last modification 15.08.2023