—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

WhatsApp Account takeover campaign (GhostPairing) 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: High

Description

It has been reported that malicious actors are exploiting WhatsApp’s device-linking feature to hijack accounts using pairing codes without authentication requirement. This newly identified cyber campaign, called GhostPairing enables cybercriminals to take complete control of WhatsApp accounts without needing passwords or SIM swaps.

The campaign usually begins with victims receiving a message, such as ‘Hi, check this photo’, from a trusted contact. The message contains a link with a Facebook-style preview. The link leads to a fake Facebook viewer that prompts users to ‘verify’ to see the content. Here the attackers exploit WhatsApp’s ‘link device via phone number’ feature by tricking unsuspecting users to enter their phone number.

By following a short, seemingly harmless sequence of steps, victims unknowingly grant attackers full access to their WhatsApp accounts, without any password theft or SIM swapping. In a nutshell, the GhostPairing attack tricks users into granting an attacker’s browser access, as an additional trusted and hidden device, by using a pairing code that looks authentic.’

Once the attacker links their device, they get almost the same access you would on WhatsApp Web:

They can read messages that sync to their device

They receive new messages in real time

They can view photos, videos, and voice notes

They can send messages as you

They can message your contacts and group chats

After taking over one account, attackers use it to send messages to the contacts of the victim.

Recommendations

It is recommended to take following actions to mitigate risks associated with account compromise or takeovers:

For Individuals

Do not click suspicious links even if they come from known contacts.

Never enter your phone number on external sites claiming to be WhatsApp/Facebook.

Check Linked Devices regularly in WhatsApp:

Open WhatsApp and go to:

Settings – Linked Devices

If you see any device you don’t recognize, log it out immediately.

For Organizations

Provide security awareness training focused on messaging-app attacks.

Enforce mobile device management (MDM) where applicable.

Monitor for phishing and social engineering indicators.

Incident Response: Establish protocols for rapid detection and remediation.

References

Avast

https://blog.avast.com/blog/onlinescams/whatsapppairingscam

CERT-In

Securing social media accounts

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2024-0006

Preventing Online scams

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2024-0050

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmlFXU8ACgkQ3jCgcSdc

ys+OMg//VejuPHWGaGOE0Hn6qBhUpsLGJHJmOtoBncCj+LwSCNDvG0Rl/LRFtqWN

r5B6zYTXbcxPdYjEqqItmmsTupG+n6rKJjqZfIF+yJe7cFlcL7s75u8zonwUFkho

PlbhQArGEu+AT53Xl/xPqtBAlXtoQGvA3Fove7KSCtgu2AOyPZsk5u75GB2wu6j7

p/yEkLmo74+DX8gxWEfy7jVtJPDd/k/d0rFmScSqA03OcQ1l05MNEMvnsdwR4Dym

m7qInRpJauSdHmUAEJluw9W1gwV2DZTLTi4ltxIUexlOQlK3E7+sVSMFsuGksKYS

VRieXek2oLRXfaKEuLJbL7lhNUSVZsbd40OsruXcPTFhDZWpoew67YwRfoDQOvho

sWvvlq8IVOrRP+eosWhNFRFAchE3WJ8QQ9aPXF7y9LvBk9f7j/SLRZMFSF7KSLKk

52Ek0AjEyjWwW7fQoFdyT/kYfIMWtA6afz1tyUjCd0f85n837G93FLxf+Il2qqZO

6X1HkBqj/SYLVuQigNZtpWDIzamIo2nZZ4LtHx44yCexGc4YDnZ/xB9igiD5zGYq

lrcKtI0PlKICNYSraPoLYgye/ksKqeqa6RtOoyITbEz4z/zrHI72YhTonBYuaZg8

sX4qpsGJg7kS+BlgWi009etuJ1ELbbPEPz9HCkOv2E11CxQ/5Ug=

=AbI7

—–END PGP SIGNATURE—–