Cyber Incident Victim: Mirror Protocol
Date:
May 2022
Location:
India
Summary
A WhatsApp OTP scam allowed threat actors to hijack users' accounts in India. The scam involved tricking victims into enabling call forwarding to a number controlled by the attackers. Once enabled, the attackers initiated the WhatsApp registration process, requesting an OTP via phone call. The call was redirected to the attacker's phone, allowing them to gain control of the victim's WhatsApp account. The scam exploited a service request for call forwarding, commonly used by Indian telecom providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On May 30, 2022, cybersecurity researchers disclosed a targeted attack campaign exploiting telecom call-forwarding features to hijack WhatsApp accounts. CloudSEK founder Rahul Sasi identified a scam where threat actors contacted victims via phone calls and instructed them to dial specific numbers beginning with 405 or 67. These numbers corresponded to service codes for Indian telecom providers Jio and Airtel, triggering unconditional call forwarding when the recipient’s line was busy. Attackers deceived victims into activating this setting, redirecting all incoming calls to numbers controlled by the threat actors. Following successful call-forwarding activation, attackers initiated the WhatsApp account registration process for the victim’s phone number, selecting the “OTP via phone call” verification method. Since the victim’s line appeared busy during this process, the automated WhatsApp verification call was forwarded to the attacker’s device, providing them with the one-time password required to take over the account. Victims typically discovered the compromise when their WhatsApp sessions were abruptly logged out. The attack exclusively targeted Indian WhatsApp users at the time of reporting, leveraging localized telecom functionalities.
The incident impacted an unspecified number of WhatsApp users whose accounts were fully compromised, enabling unauthorized access to messages, contacts, and linked services. Attackers required no technical exploitation of WhatsApp’s infrastructure, instead relying entirely on social engineering and misuse of legitimate telecom services. Security experts noted the scheme’s viability in any region offering comparable call-forwarding features, raising concerns about potential expansion beyond India. No coordinated response from WhatsApp, telecom operators, or law enforcement was detailed in the initial disclosure. The attack’s success hinged on victims manually enabling call forwarding under false pretenses, distinguishing it from technical vulnerabilities in WhatsApp’s authentication systems. Researchers emphasized the incident highlighted risks associated with interaction between telecommunications protocols and application security mechanisms.