A new campaign named "GhostPairing" is exploiting WhatsApp's legitimate device-linking feature to hijack user accounts without requiring authentication. Attackers initiate contact by sending a deceptive link, often disguised as a Facebook photo preview, to the victim from a compromised or spoofed contact. Clicking the link directs the user to a fraudulent webpage that mimics a Facebook login and verification process.
Instead of logging in, the victim is tricked into entering their phone number, which the attacker uses to trigger WhatsApp's device-pairing workflow. The fake page then displays a legitimate pairing code generated by WhatsApp. When the victim enters this code, believing it to be part of the verification, they inadvertently link the attacker's browser to their WhatsApp account. This grants the attacker full, real-time access to messages, media, and contacts.
The compromised accounts are then used to propagate the attack further by sending the same lure to the victim's contacts. Many victims remain unaware of the breach, as the attacker operates silently in the background. To check for compromise, users should regularly review their linked devices in WhatsApp settings. Enabling two-factor authentication and being cautious of unsolicited verification requests are crucial defensive measures.
Read more...