Skip to main content

Wadukuzi Watumia Mbinu ya Kusambaza Simu ( Call forwarding ) Kupata Akaunti za WhatsApp



Mdukuzi (An attacker) anaweza kuteka akaunti ya WhatsApp ya mwathirika na kupata ufikiaji wa ujumbe wa kibinafsi na anwani kupitia hila. Mbinu inategemea huduma ya usambazaji wa simu moja kwa moja ( Call forwarding )  inayotolewa na wabebaji wa simu za mkononi na chaguo la WhatsApp kutoa nambari ya uthibitishaji wa nenosiri la wakati mmoja (OTP) kupitia simu ya sauti. 

Kulingana na Rahul Sasi, mwanzilishi na Mkurugenzi Mtendaji wa CloudSEK, biashara ya kuzuia hatari ya dijiti, mkakati huo hutumiwa kudukua akaunti za WhatsApp. Inapojaribiwa, iligunduliwa kuwa njia hiyo inafanya kazi, lakini kwa shida kadhaa ambazo mdukuzi mwenye uzoefu wa kutosha anaweza kupita. Wadukuzi wanaweza kuchukua akaunti ya WhatsApp ya mwathirika kwa dakika chache tu, lakini lazima kwanza wapate nambari ya simu ya mlengwa na kuwa tayari kushiriki katika uhandisi wa kijamii. 

Sasi anasema kwamba mshambulizi lazima kwanza amshawishi mwathirika kupiga nambari inayoanza na nambari ya Man Machine Interface (MMI) iliyowekwa na mtoa huduma wa seli ili kuruhusu usambazaji wa simu. Kulingana na mtoa huduma wa rununu, nambari tofauti ya MMI inaweza kutuma simu zote kwenye terminal kwa nambari tofauti au tu wakati laini ina shughuli nyingi, au hakuna mapokezi yoyote. 

Nyota (*) au ishara ya hash (#) hutangulia nambari hizi. Wao ni rahisi kupata, na kulingana na utafiti wao, wanasaidiwa na flygbolag zote kuu za mtandao wa simu. "Kwanza, unapokea simu kutoka kwa mshambuliaji ambaye atakushawishi kupiga simu kwa nambari ifuatayo **67* au *405*. Ndani ya dakika chache, WhatsApp yako ingefunguliwa, na washambuliaji watapata udhibiti kamili wa akaunti yako," alisema Rahul Sasi. 

Kulingana na mtafiti, nambari ya tarakimu 10 inalingana na mshambuliaji. Nambari ya MMI mbele yake inaelekeza mtoa huduma wa simu kuelekeza simu zote kwa nambari ya simu iliyotolewa baada yake ikiwa laini ya mwathirika ina shughuli nyingi. Mshambuliaji huyo anaanza utaratibu wa usajili wa WhatsApp kwenye simu janja ya mwathiriwa baada ya kuwarubuni katika kusambaza simu kwa nambari yao. Wanachagua chaguo la kupata OTP kupitia simu ya sauti. 

Baada ya kupata msimbo wa OTP, mshambulizi anaweza kutumia simu yake mahiri kusajili akaunti ya WhatsApp ya mwathirika na kutekeleza uthibitishaji wa sababu mbili (2FA), kuzuia wamiliki halisi kupata ufikiaji wa nyuma.

Wakati wa majaribio, iligunduliwa kuwa wakati utaratibu unaonekana kuwa rahisi, kuipata kufanya kazi inachukua juhudi zaidi. Kwanza kabisa, mshambulizi lazima atumie nambari ya MMI ambayo hutuma simu zote bila kujali hali ya kifaa lengwa (bila masharti). Kusubiri simu kunaweza kusababisha utekaji ( hijack )nyara kushindwa ikiwa MMI inatuma tu simu wakati namba ya simu inatumika ( busy ).

Wakati wa majaribio, ilibainika kuwa kifaa kilicholengwa pia kilikuwa kinapokea ujumbe wa maandishi ukiiambia kuwa WhatsApp yake ilikuwa ikitumiwa kwenye kifaa kingine. Watumiaji wanaweza kukosa onyo ( Warning ) ikiwa mshambulizi anatumia uhandisi wa kijamii ( Social engineering ) na kumshirikisha mwathirika katika mazungumzo ya simu kwa muda mrefu tu ili kupata msimbo ( Code ) wa WhatsApp OTP kwa sauti.  

Ikiwa usambazaji wa simu ( Call forwarding ) tayari umewezeshwa kwenye kifaa cha mwathirika, mdukuzi atahitaji kupiga nambari tofauti ya simu kuliko ile inayotumiwa kwa uelekezaji upya. Kero hii ndogo inaweza kuhitaji uhandisi zaidi wa kijamii ( Social engineering ) . Kama uanzishaji unakuja na onyo lililozidiwa kwenye skrini ambayo haiendi hadi mtumiaji akubali, ishara ya wazi zaidi ya tabia ya shaka kwa mtumiaji anayelengwa ni wakati wabebaji wa simu wanabadilisha usambazaji wa simu ( Call forwarding ) kwa kifaa chao. 

Watendaji wa vitisho wana nafasi nzuri ya kufanikiwa hata kwa onyo hili maarufu kwani watumiaji wengi hawajui nambari za MMI au mipangilio ya simu ya rununu ambayo inakataza usambazaji wa simu. Licha ya vikwazo hivi, wadanganyifu wenye ujuzi bora wa uhandisi wa kijamii ( Social engineering ) wanaweza kuweka hali ya kumfanya mwathirika achukue simu hadi wapokee nambari ya OTP ya kusajili akaunti ya WhatsApp ya mwathirika kwenye kifaa chao. 

Wakati mkakati huu ulijaribiwa kwa kutumia mitandao ya seli ya Verizon na Vodafone, iligunduliwa kuwa mshambulizi aliye na hali halisi alikuwa na uwezekano mkubwa wa kuteka akaunti za WhatsApp.

 Kwa mujibu wa takwimu za umma, chapisho la Sasi linahusu Airtel na Jio, waendeshaji wawili wa simu za mkononi wenye watumiaji karibu milioni 400 kufikia Desemba 2020. Ni rahisi kama kuwasha ulinzi wa uthibitishaji ( two-factor authentication protection ) wa sababu mbili za WhatsApp ili kujilinda dhidi ya aina hii ya shambulio. Kwa kudai PIN kila wakati watumiaji wanaposajili simu na programu ya kutuma ujumbe, kipengele hiki kinazuia watendaji wabaya kupata udhibiti wa akaunti. 

Usisahau kushare elimu hii na marafiki




Labels:

Comments

Post a Comment

Popular posts from this blog

AirPods Fake Vs Real – How To Spot Fake AirPods In 2021 (Ultimate Guide)

AirPods Fake Vs Real – How To Spot Fake AirPods In 2021 (Ultimate Guide) Need your item authenticated by us? Proven expertise, not self-claimed. Get checked by the industry's top experts. Get Authenticated Want this item? Buy it from our partners! Looking to learn how to spot fake AirPods? Scared of getting scammed? Look no further, as we’ve compiled the most complete legit check guide for Apple AirPods. To put it shortly, the quickest way to spot fake AirPods is to scan the serial number found on the inside of the case (see pictures below on how to find that serial number). Once you get that code, pop it through  checkcoverage.apple.com  and see whether Apple confirms it for you. If you can’t get ahold of this code, we’ve added fake vs real comparisons for the actual AirPods below! Remember, fake AirPods will always compromise on quality. To highlight the most common places where these compromises are made, we’ve put together the comparisons you’ll find below. In this gu...
Post a Comment
Read more

Jinsi ya kuhifadhi contacts katika akaunt ya Google (How to Backup Contacts to Google Drive)

  How to Backup Contacts to Google Drive “Don’t overload your heart by learning all the contacts when you can rest this task on new technological solutions.” – Anonymous Well, there is an automatic syncing feature for data backup to Google on an Android phone. So, it's a default feature of Google Drive, specifically in Android phones. However, the core concept lies in knowing how to backup contacts to Google Drive in a separate folder. Furthermore, it would help if you did the entire thing manually with regards to the iPhone. Most importantly, Google Drive is free to use, accessed by the current Google account. So, why won't you take benefits of such a top-notch Google's product service? However, please note that Google is prone to hacking unless you are using a robust security system. Also, the server speed slows down when millions of users upload and download things simultaneously. So, kindly take note of these facts before you learn how to save contacts in Google Drive. ...
Post a Comment
Read more

WhatsApp will no longer work on these iOS and Android smartphones since November, is yours on the list?

WhatsApp will no longer work on these iOS and Android smartphones since November, is yours on the list?   The last few months have been quite hectic for WhatsApp , which has launched one novelty after another. However, these innovations have a price and that is because the platform is no longer capable of supporting all smartphone models . Therefore, the messaging app  shared a list  of iOS and Android devices which will no longer work since November 1. The mobile devices on the list will no longer receive support from the application and will be incompatible with WhatsApp . This in order to focus its efforts on the latest generation smartphones, to guarantee an optimal service of the app. In general, the affected devices will be those with an operating system equal to or lower than Android 4.0.3 . Or, in the case of iPhone , devices with iOS 9 and earlier ...
Post a Comment
Read more