Skip to main content

Wadukuzi Watumia Mbinu ya Kusambaza Simu ( Call forwarding ) Kupata Akaunti za WhatsApp



Mdukuzi (An attacker) anaweza kuteka akaunti ya WhatsApp ya mwathirika na kupata ufikiaji wa ujumbe wa kibinafsi na anwani kupitia hila. Mbinu inategemea huduma ya usambazaji wa simu moja kwa moja ( Call forwarding )  inayotolewa na wabebaji wa simu za mkononi na chaguo la WhatsApp kutoa nambari ya uthibitishaji wa nenosiri la wakati mmoja (OTP) kupitia simu ya sauti. 

Kulingana na Rahul Sasi, mwanzilishi na Mkurugenzi Mtendaji wa CloudSEK, biashara ya kuzuia hatari ya dijiti, mkakati huo hutumiwa kudukua akaunti za WhatsApp. Inapojaribiwa, iligunduliwa kuwa njia hiyo inafanya kazi, lakini kwa shida kadhaa ambazo mdukuzi mwenye uzoefu wa kutosha anaweza kupita. Wadukuzi wanaweza kuchukua akaunti ya WhatsApp ya mwathirika kwa dakika chache tu, lakini lazima kwanza wapate nambari ya simu ya mlengwa na kuwa tayari kushiriki katika uhandisi wa kijamii. 

Sasi anasema kwamba mshambulizi lazima kwanza amshawishi mwathirika kupiga nambari inayoanza na nambari ya Man Machine Interface (MMI) iliyowekwa na mtoa huduma wa seli ili kuruhusu usambazaji wa simu. Kulingana na mtoa huduma wa rununu, nambari tofauti ya MMI inaweza kutuma simu zote kwenye terminal kwa nambari tofauti au tu wakati laini ina shughuli nyingi, au hakuna mapokezi yoyote. 

Nyota (*) au ishara ya hash (#) hutangulia nambari hizi. Wao ni rahisi kupata, na kulingana na utafiti wao, wanasaidiwa na flygbolag zote kuu za mtandao wa simu. "Kwanza, unapokea simu kutoka kwa mshambuliaji ambaye atakushawishi kupiga simu kwa nambari ifuatayo **67* au *405*. Ndani ya dakika chache, WhatsApp yako ingefunguliwa, na washambuliaji watapata udhibiti kamili wa akaunti yako," alisema Rahul Sasi. 

Kulingana na mtafiti, nambari ya tarakimu 10 inalingana na mshambuliaji. Nambari ya MMI mbele yake inaelekeza mtoa huduma wa simu kuelekeza simu zote kwa nambari ya simu iliyotolewa baada yake ikiwa laini ya mwathirika ina shughuli nyingi. Mshambuliaji huyo anaanza utaratibu wa usajili wa WhatsApp kwenye simu janja ya mwathiriwa baada ya kuwarubuni katika kusambaza simu kwa nambari yao. Wanachagua chaguo la kupata OTP kupitia simu ya sauti. 

Baada ya kupata msimbo wa OTP, mshambulizi anaweza kutumia simu yake mahiri kusajili akaunti ya WhatsApp ya mwathirika na kutekeleza uthibitishaji wa sababu mbili (2FA), kuzuia wamiliki halisi kupata ufikiaji wa nyuma.

Wakati wa majaribio, iligunduliwa kuwa wakati utaratibu unaonekana kuwa rahisi, kuipata kufanya kazi inachukua juhudi zaidi. Kwanza kabisa, mshambulizi lazima atumie nambari ya MMI ambayo hutuma simu zote bila kujali hali ya kifaa lengwa (bila masharti). Kusubiri simu kunaweza kusababisha utekaji ( hijack )nyara kushindwa ikiwa MMI inatuma tu simu wakati namba ya simu inatumika ( busy ).

Wakati wa majaribio, ilibainika kuwa kifaa kilicholengwa pia kilikuwa kinapokea ujumbe wa maandishi ukiiambia kuwa WhatsApp yake ilikuwa ikitumiwa kwenye kifaa kingine. Watumiaji wanaweza kukosa onyo ( Warning ) ikiwa mshambulizi anatumia uhandisi wa kijamii ( Social engineering ) na kumshirikisha mwathirika katika mazungumzo ya simu kwa muda mrefu tu ili kupata msimbo ( Code ) wa WhatsApp OTP kwa sauti.  

Ikiwa usambazaji wa simu ( Call forwarding ) tayari umewezeshwa kwenye kifaa cha mwathirika, mdukuzi atahitaji kupiga nambari tofauti ya simu kuliko ile inayotumiwa kwa uelekezaji upya. Kero hii ndogo inaweza kuhitaji uhandisi zaidi wa kijamii ( Social engineering ) . Kama uanzishaji unakuja na onyo lililozidiwa kwenye skrini ambayo haiendi hadi mtumiaji akubali, ishara ya wazi zaidi ya tabia ya shaka kwa mtumiaji anayelengwa ni wakati wabebaji wa simu wanabadilisha usambazaji wa simu ( Call forwarding ) kwa kifaa chao. 

Watendaji wa vitisho wana nafasi nzuri ya kufanikiwa hata kwa onyo hili maarufu kwani watumiaji wengi hawajui nambari za MMI au mipangilio ya simu ya rununu ambayo inakataza usambazaji wa simu. Licha ya vikwazo hivi, wadanganyifu wenye ujuzi bora wa uhandisi wa kijamii ( Social engineering ) wanaweza kuweka hali ya kumfanya mwathirika achukue simu hadi wapokee nambari ya OTP ya kusajili akaunti ya WhatsApp ya mwathirika kwenye kifaa chao. 

Wakati mkakati huu ulijaribiwa kwa kutumia mitandao ya seli ya Verizon na Vodafone, iligunduliwa kuwa mshambulizi aliye na hali halisi alikuwa na uwezekano mkubwa wa kuteka akaunti za WhatsApp.

 Kwa mujibu wa takwimu za umma, chapisho la Sasi linahusu Airtel na Jio, waendeshaji wawili wa simu za mkononi wenye watumiaji karibu milioni 400 kufikia Desemba 2020. Ni rahisi kama kuwasha ulinzi wa uthibitishaji ( two-factor authentication protection ) wa sababu mbili za WhatsApp ili kujilinda dhidi ya aina hii ya shambulio. Kwa kudai PIN kila wakati watumiaji wanaposajili simu na programu ya kutuma ujumbe, kipengele hiki kinazuia watendaji wabaya kupata udhibiti wa akaunti. 

Usisahau kushare elimu hii na marafiki




Labels:

Comments

Post a Comment

Popular posts from this blog

Jinsi ya kuhifadhi contacts katika akaunt ya Google (How to Backup Contacts to Google Drive)

  How to Backup Contacts to Google Drive “Don’t overload your heart by learning all the contacts when you can rest this task on new technological solutions.” – Anonymous Well, there is an automatic syncing feature for data backup to Google on an Android phone. So, it's a default feature of Google Drive, specifically in Android phones. However, the core concept lies in knowing how to backup contacts to Google Drive in a separate folder. Furthermore, it would help if you did the entire thing manually with regards to the iPhone. Most importantly, Google Drive is free to use, accessed by the current Google account. So, why won't you take benefits of such a top-notch Google's product service? However, please note that Google is prone to hacking unless you are using a robust security system. Also, the server speed slows down when millions of users upload and download things simultaneously. So, kindly take note of these facts before you learn how to save contacts in Google Drive. ...
Post a Comment
Read more

VIRUTUBISHI , MAKUNDI YA VYAKULA NA MLO KAMILI

  VIRUTUBISHI,MAKUNDI YA VYAKULA NA MLO KAMILI Utangulizi: Chakula ni muhimu kwa binadamu wote. Chakula huupatia mwili virutubishi mbalimbali kwa ajili ya kuuwezesha kufanya kazi mbalimbali. Ili kuwa na hali nzuri ya lishe ni vyema kuzingatia ulaji unaofaa ikiwa ni pamoja na mlo kamili. Ulaji unaofaa ni muhimu kwa watu wote. Ulishaji unaofaa kwa watoto kulingana na umri ni muhimu hasa kwa ukuaji na maendeleo yao. Maana ya maneno yanayotumika katika masuala ya lishe Chakula   ni kitu chochote kinacholiwa na kuupatia mwili virutubishi mbalimbali. Chakula huupatia mwili nguvu, kuulinda na kuukinga dhidi ya maradhi mbalimbali. Mfano wa chakula ni ugali, wali, maharagwe, ndizi, viazi, mchicha, nyama, samaki, matunda n.k. Lishe   ni mchakato unaohusisha hatua mbalimbali za jinsi mwili unavyokitumia chakula kilicholiwa. Hatua hizi ni kuanzia chakula kinapoliwa, jinsi mwili unavyokisaga na kukiyeyusha, umetaboli na hatimaye virutubishi kufyonzwa na kutumika mwilini. Virutubish i...
Post a Comment
Read more

How to live longer

  How to live longer: The cholesterol-lowering fruit that could ward off high blood pressure HIGH blood pressure and high cholesterol are often found operating in conjunction with one another. When left untreated, both conditions can set the stage for serious heart complications, making them risk factors for premature death. One fruit, however, has been shown to offer drastic improvements for both conditions. Evidence to support the health benefits of eating fruits and vegetables keeps piling in. Studies have identified excess body fat as one of the dominant predisposing factors to blood pressure elevation. Therefore, eating a diet rich in whole grains, fruits, vegetables and low-fat dairy can also lower blood pressure. Apples, in particular, contain many of the elements that could help stave off further complications down the road. High cholesterol: Apples could help lower LDL levels  (Image: Getty ) Apples provide minerals such as potassium and substances called flavonoids, ...
Post a Comment
Read more