The Digital Ambush: NetOne Signaling Flaw and WhatsApp Account Interception

A critical new cyber threat has surfaced in Zimbabwe, primarily targeting users of the NetOne mobile network. This is not a simple case of physical SIM card fraud; instead, evidence points toward a sophisticated technical exploitation of the mobile network’s core signaling and call routing mechanisms.

The resulting attack chain is highly effective: it locks legitimate users out of their WhatsApp accounts by preventing crucial security codes from ever reaching their device.

The Incident: A First-Hand Account from Zimbabwe

The incidents begin with the user suddenly finding themselves logged out of their WhatsApp account, followed by their own physical SIM card failing, often "no longer showing network in user's device."

At this point, the attackers have taken over the number. When the legitimate user attempts to log back into WhatsApp, they encounter a critical, frustrating roadblock: the One-Time Password (OTP) SMS never arrives. They are instead met with a time-based lockout warning: "requested too many times try again after 6 hours etc."

Attempts to resolve the issue via Meta’s automated support systems were largely ineffective. The solution, in reported cases, only occurred when the user was able to successfully log in using the Missed Call Verification method after an unspecified time period, raising questions about what truly enabled the recovery.

Phase One: The Network Signaling Interception Flaw.

The core of this attack is not porting the number via a corrupt employee, but rather exploiting flaws in the Mobile Switching Center (MSC) or international gateway (VoIP) call routing. The attacker is not physically swapping the SIM; they are telling the network that the verification call or SMS should be routed elsewhere.

The Evidence of Signaling Vulnerability

The observations made by Digital Vocano Cyber Security Team during their investigations on the reported case, which has resulted in a variety of tests ,regarding international calls provide the smoking gun for this hypothesis:

1. Caller ID Spoofing/Manipulation: When a user calls the NetOne victim number from an international VoIP source (e.g., South Africa's +27), the recipient sees the Caller ID as the local +263 format. This suggests the international gateway or a misconfigured third-party service is manipulating the Caller Line Identification (CLI) data.
2. Call Misrouting: The most critical sign is that the call is sometimes "lost to someone else" or simply disappears from the legitimate owner’s phone. This indicates a deep-seated flaw in the network’s Global Title Translation (GTT) or routing tables, allowing external entities to temporarily re-route the call path.

How the WhatsApp Account is Hijacked

This sophisticated interception mechanism bypasses standard physical security. Instead of relying on a physical SIM swap:

• SMS Interception: The flaw allows the attacker to temporarily redirect the destination of SMS messages—including the WhatsApp OTP—to an attacker-controlled gateway.
• Voice Verification Interception: When the initial SMS fails, WhatsApp attempts to verify via a quick Voice Call. The attacker exploits the routing flaw to divert this single verification call to their own device/gateway, allowing them to answer the call, hear the 6-digit code, and complete the account takeover.

Crucially, the user's SIM card stops working because the network, at a deep signaling level, recognizes the number as being temporarily registered or forwarded to a new destination—the attacker’s intercept point.

Phase Two: Weaponizing the Digital Lockout (Rate Limit Exploitation)

Once the attacker has gained control and logged in, they execute a tactical lockout designed to prevent the victim from immediately reclaiming the account.

When the legitimate user attempts to log back in, they are blocked by the warning: "requested too many times try again after 6 hours etc."

This is a deliberate exploitation of WhatsApp’s rate limiting security feature. After the initial takeover, the attacker executes multiple, rapid, failed registration attempts. This triggers WhatsApp’s system to perceive a high volume of failed attempts, resulting in the time-based lock on that number.

This maneuver guarantees the attacker a secure, uninterrupted time window—up to several hours—to execute fraud, read private messages, or initiate identity theft before the legitimate user can even attempt another login.

Comprehensive Mitigation and Recovery Protocol

Combating this hybrid threat requires a layered defense, addressing both the carrier and application vulnerabilities.

Carrier and Platform Security (Prevention)

Immediate Recovery Steps

Rapid action is paramount upon suspicion of a SIM swap:

1. Confirm SIM Failure & Contact MNO: If your phone suddenly loses connectivity ("No Signal"), immediately use a separate device to call NetOne. Report the unauthorized SIM swap and request that the number be deactivated or locked against any further changes .
2. Attempt WhatsApp Re-registration: Reinstall or open WhatsApp and attempt to register your number. A successful registration with a new 6-digit code will automatically log the attacker off, as WhatsApp permits only one active device per number .
3. Respect the Lockout Timer: If you receive the "try again after 6 hours" message, you must wait for the timer to expire. Repeated, frantic attempts to register will only prolong the mandatory waiting period .
4. Utilize Missed Call Verification (MCV): Once the timer resets, specifically choose the Missed Call or Voice Call option to verify your number. Ensure the WhatsApp application has the required device permissions (Call Log access) enabled, leveraging the method’s reliance on physical device presence to secure the account .

In conclusion, the incident targeting NetOne users serves as a potent reminder that digital security relies on the weakest link in the chain—which, in this case, is often the mobile carrier's internal processes. While platform security measures like rate limits can be exploited, user-side activation of strong defenses, particularly the WhatsApp 2FA PIN, remains the single most effective barrier to prevent a simple SIM swap from turning into a complete digital catastrophe.