The attacks became so prevalent that Israel's National Cyber Security Authority issued a nationwide warning.
To start, attackers try to install the WhatsApp app on their own phone using a legitimate user's phone number.
WhatsApp attempts to verify the login attempt by sending a six-digit verification code via text message to the victim's telephone.
Hackers try to do this when the victim may not be checking their phone, such as nighttime.
WhatsApp then gives users the option to send the six-digit code via a phone call with an automated message.
Since the user isn't checking their phone, the message ideally goes to their voicemail.
The scammer then takes advantage of a security flaw in many telecommunications networks, which provides customers with a generic phone number to call and retrieve their voicemails.
For many voicemails, users only have to enter a four-digit PIN, which if they haven't changed it, is typically an easy password such as 0000 or 1234 by default.
Hackers enter the password and gain access to the victim's voicemail inbox, thereby allowing them to listen to the pre-recorded message from WhatsApp that contains the six-digit code.
They enter that code into their own device, giving them complete access to the victim's WhatsApp account.
Making matters worse, particularly savvy hackers can set up two-factor authentication for the WhatsApp account, which requires users to enter a unique PIN code if they want to re-verify their phone number.
This prevents the victim from regaining control over their own phone number, Sophos noted.
The attack was first documented by Ran Bar-Zik, a web developer at Oath, but resurfaced again in a new report by ZD Net.
Israeli security officials have warned that the attack has been on the rise in recent weeks.
They recommend that users turn on two-factor authentication on their account, which adds an extra layer of security to your account.
"Using application-based 2FA...mitigates a lot of the risk, because these mobile authentication apps don’t rely on communications tied to phone numbers," Sophos researchers explained.
Users can do that by navigating to Settings in WhatsApp, then tapping 'Account.' Navigate to the 'Two-step verification' heading and tap 'Enable.'
Further, experts say users should make sure they have a strong PIN on their voicemail inbox
-The Star