Cybersecurity researchers have identified a deceptive new campaign called GhostPairing that hijacks WhatsApp accounts by exploiting the platform's legitimate device-linking feature. This attack is particularly dangerous because it does not require the attacker to steal a password or perform a SIM swap. Instead, it relies on tricking the user into authorizing a new session themselves.
How the GhostPairing Attack Unfolds
The scam usually begins with a message from a trusted contact, making it difficult to spot. The message often contains a short, informal lure such as "Hey, I just found your photo!" and includes a link that appears to be a Facebook content preview.
When a victim clicks the link, they are taken to a fake Facebook-branded page that claims they must "verify" their identity before viewing the photo. This page asks for the user's phone number. Once provided, the attacker uses that number to trigger a legitimate WhatsApp "link with phone number" request from their own browser.
WhatsApp then generates a pairing code and sends it to the victim's phone. The phishing site displays this same code back to the victim, instructing them to enter it into their WhatsApp app to complete the verification. In reality, entering this code approves the attacker's browser as a new linked device on the victim's account.
The Impact of a Compromised Account
Once the attacker’s device is linked, they gain nearly total access to the account. This includes:
- Real-time monitoring: Reading incoming and outgoing messages as they happen.
- Media access: Viewing and downloading shared photos, videos, and voice notes.
- Impersonation: Sending messages to the victim’s contacts or groups.
- Lateral spread: Using the compromised account to forward the same malicious lure to friends and family, allowing the scam to spread like a snowball.
Because the victim's primary phone continues to work normally, many remain completely unaware that a "ghost" device is active in the background, observing their private conversations.
Protection and Detection
The most effective way to detect this compromise is to manually review your active sessions. You can do this by going to Settings, then Linked Devices. If you see any browser or device that you do not recognize, log it out immediately to sever the attacker's access.
To prevent such attacks, researchers recommend the following:
- Enable Two-Step Verification: This adds a required PIN for any new login or re-registration.
- Question Unexpected Codes: Legitimate websites will never ask you to enter a WhatsApp pairing code to view external content.
- Stay Cautious: Even if a message comes from a friend, be wary of unexpected links that demand immediate action or "verification."
While the campaign was initially detected in Czechia, the underlying kit is easily adaptable, making it a global threat to messaging security.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
