Listen to this Post
Introduction:
A new, low-tech fraud technique exploiting fundamental telecom features is bypassing modern digital security measures. By socially engineering victims into dialing specific USSD codes, criminals silently redirect call-based one-time passwords (OTPs) and verification calls, leading to wholesale account takeover. This alert from the Ministry of Home Affairs highlights a critical vulnerability that exists at the intersection of telecommunications and digital authentication.
Learning Objectives:
- Understand the technical mechanism of USSD-based call-forwarding fraud.
- Learn how to detect if call forwarding has been maliciously activated on a device.
- Implement immediate mitigation and digital forensic steps for incident response.
- Develop client and public awareness strategies to combat this social engineering threat.
- Analyze the legal and regulatory implications of such telecom-enabled cybercrime.
You Should Know:
1. Deconstructing the USSD Call-Forwarding Hack
This scam is a masterclass in social engineering that exploits a legitimate telecom feature: Unstructured Supplementary Service Data (USSD) codes. These are real-time, session-based codes used to interact with your mobile carrier’s service menu. Fraudsters, often posing as delivery agents or bank officials, convince the victim to dial a code like `21<10-digit fraudster number>` or 67<10-digit fraudster number>. Upon execution, this activates unconditional call forwarding, sending all incoming voice calls—including critical bank OTP calls—to the criminal’s number.
Step-by-step guide explaining what this does and how to use it:
Step 1: The Hook. The victim receives a call alleging a failed delivery, suspicious transaction, or service update.
Step 2: The Social Engineering. The caller builds urgency and trust, guiding the victim to the phone’s dialer.
Step 3: The Payload Execution. The victim is told to dial a “verification” or “cancellation” code (e.g., `219876543210` and press call).
Step 4: Silent Activation. The mobile network instantly activates call forwarding to the embedded number. No app install, no internet, no visible sign on the victim’s phone.
Step 5: Account Takeover. The attacker then triggers “Forgot Password” or login attempts on the victim’s banking/gmail/social media accounts. The system calls the victim’s number with an OTP, but the call is transparently forwarded to the attacker, who completes the authentication.
2. Key USSD Codes for Detection and Mitigation
Knowledge of these codes is your first line of defense. They are universal across telecom operators but may have slight variations.
Step-by-step guide explaining what this does and how to use it:
To Check Current Call-Forwarding Status:
Dial `21` and call: Checks unconditional call forwarding.
Dial `61` and call: Checks call forwarding when busy.
Dial `62` and call: Checks call forwarding when unreachable.
Dial `67` and call: Checks call forwarding when no answer.
Expected Output: The network will reply with an SMS or voice message stating the number calls are forwarded to, or “Not set.”
To Deactivate All Call Forwarding Immediately:
The Nuclear Option: Dial `002` and call. This deactivates all conditional and unconditional call forwarding.
Specific Deactivation:
Deactivate unconditional: `21`
Deactivate if busy: `61`
Deactivate if unreachable: `62`
Deactivate if no answer: `67`
Verification: Always follow up with the status check codes above to confirm deactivation.
3. Digital Forensic Triage for a Compromised Device
If you suspect an account has been hijacked via this method, immediate forensic triage is crucial.
Step-by-step guide explaining what this does and how to use it:
1. Isolate the Device: Do not turn it off. Note the time of the suspicious call.
2. Document Call Logs: Screenshot the recent call log showing the attacker’s initial call. This is crucial evidence.
3. Check USSD History: On Android, some dialer apps log USSD interactions. Check Dialer > Menu > Settings > Call Settings > USSD Settings. On iOS, this is not directly accessible but can be inferred from call logs.
4. Secure Accounts: Using a clean, trusted device (not the potentially compromised phone), immediately log into critical accounts (email, bank, social media), review active sessions, and log out all other devices. Change passwords using a strong, unique password and enable authenticator app-based 2FA instead of SMS/call-based 2FA.
5. Preserve Evidence: For formal investigations, a physical forensic dump of the device will be needed to recover the exact USSD code dialed from memory artifacts.
4. Hardening Authentication and Client Advisory
Move clients and organizations beyond vulnerable SMS/Call OTP for high-value accounts.
Step-by-step guide explaining what this does and how to use it:
For IT Administrators (Azure AD Example):
`Set-MsolUser -UserPrincipalName [email protected] -StrongAuthenticationRequirements @{}`
This is a placeholder to show policy scope. In reality, navigate to Azure Portal > Azure AD > Security > Authentication methods > Policy. Disable “Voice call” for users and enforce Microsoft Authenticator or FIDO2 security keys.
For Public Awareness: Create a one-page advisory:
“Your bank will NEVER ask you to dial a or code.”
“Legitimate OTPs are for incoming SMS/ Calls. You should never have to dial out a code to receive one.”
“If uncertain, hang up and call back on the official customer service number listed on the institution’s website or your card.”
5. Legal and Regulatory Reporting Protocol
This scam creates a clear chain of liability involving telecom providers and financial institutions.
Step-by-step guide explaining what this does and how to use it:
1. First Information Report (FIR): File at the local cyber crime police station. Include the attacker’s phone number, your number, bank account details, time of fraud, and screenshots of call logs and unauthorized transactions.
2. Report to the Bank: Immediately call the 24-hour fraud helpline, followed by a written complaint. Under RBI guidelines, the bank is liable for unauthorized digital transactions unless proven customer negligence.
3. Report to the Telecom Provider: File a complaint with the service provider (Airtel, Jio, Vi, etc.) providing the same details. Demand logs of the call-forwarding activation request, which will show the destination number (attacker’s number).
What Undercode Say:
- The Lowest-Tech Attacks Bypass the Highest-Tech Defenses. This scam is a stark reminder that security chains are only as strong as their most socially manipulable link—the human. It bypasses advanced malware detection, firewalls, and complex cryptography by abusing a decades-old telephony feature.
- Legal Precedent is Crucial. Establishing telecom provider liability for not implementing confirmatory alerts for USSD-based call-forwarding changes could force systemic changes, much like the “Do Not Disturb” regulations. Cyber advocacy must push for technical safeguards at the network level.
Analysis:
This advisory signifies a pivot in the cybercrime landscape. Fraudsters are moving “up the stack” to exploit the foundational protocols that underpin digital trust. The attack is elegantly simple, low-cost, and devastatingly effective because it targets the universal trust in voice calls. It exposes a critical flaw in two-factor authentication that relies on the Public Switched Telephone Network (PSTN), which was never designed with security in mind. The mitigation requires a multi-pronged approach: technical (disabling vulnerable 2FA methods), procedural (enhanced customer verification by banks/courier services), and legal (holding telecoms accountable for silent service alterations). Proactive education is the immediate shield, but systemic change in telecom security protocols is the necessary long-term sword.
Prediction:
We will see a rapid evolution of this attack vector. Expect hybrid scams where USSD forwarding is combined with SIM swap attacks for redundancy, or where victims are tricked into enabling forwarding for specific conditions (like `61` for when busy) to make the fraud less immediately detectable. Sophisticated actors may use this as the first step in Business Email Compromise (BEC) schemes, by first taking over a mobile number to reset email passwords. The regulatory response will likely mandate a delayed activation or dual-authorization for USSD-based forwarding changes, similar to port-out requests. Furthermore, banks and fintech apps will be forced to accelerate the deprecation of voice-based OTPs in favor of push notifications and hardware security keys, fundamentally reshaping the authentication landscape.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Tulsiram Sharma – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
