WhatsApp users are sharing their accounts with hackers, who trick them into completing what appears to be a routine verification process. Victims silently approve attacker-controlled devices, granting nearly full access, Gen Digital researchers warn.
The attack often begins with a short message from a known WhatsApp contact. The sender claims they’ve found the target’s photo or seen them in the local news and includes the link.
While never clicking any suspicious links should be an instinct by now, many people still fall for this and land on highly convincing lure pages.
The malicious website closely imitates a Facebook content viewer. However, before showing the content, it asks the targets to verify. This page doesn’t ask for a password, only a phone number.
If the victim proceeds by entering their phone number, a prompt appears on their device, asking to enter the code. The fake Facebook page, at the same time, displays the code the victims are supposed to enter. Many people just enter the provided code without much thinking.
By entering that code, the victims unknowingly approve WhatsApp’s request to link the new device (browser) – the one controlled by attackers.
Although the phone notification clearly states “Enter code to link new device,” many victims overlook it. Entering two-factor authentication codes has become a common routine, and this sequence resembles a legitimate authentication flow.
“For many users, the idea that ‘Facebook wants you to confirm something in WhatsApp’ does not sound obviously wrong. Codes and QR scans have become part of everyday online life, especially on mobile,” Gen Digital, a cybersecurity company, writes in the report about the novel attack takeover campaign, which it dubbed “GhostPairing.”
A phone number is all it takes for attackers to begin a device linking (pairing) sequence. By entering the attacker-provided code, users grant hackers persistent access. Many may not even be aware of someone else using their account.
What can hackers do with this access?
Linked devices have nearly complete access to account data, gaining the same capabilities as any user when using WhatsApp on their phone or computer.
Hackers can sync and read historical conversations, receive messages in real-time, and view any media, including photos, videos, or voice notes. They can exfiltrate sensitive information, such as email addresses, codes, and links.
They are also sending messages to other individuals or groups to advance the scam, forwarding similar lures to other contacts.
This is not traditional account hijacking in the sense of changing passwords or locking the owner out. The phone continues to work normally,” the researchers explain.
“Many victims are unaware that a second device has been added in the background, which is what makes the scam even more dangerous – criminals are hiding in your account, watching your every conversation without you even knowing it.”
Real relationships make the scam very effective, because all the recipients see is a short, informal message coming from someone they know.
Have thoughts about this topic? Others do, too. Join them in the discussion.
Researchers believe attackers are using automated kits to propagate the spam and infect many people.
The only way to remove the cybercrooks is to go to Settings and unlink any unknown devices. To do this, open WhatsApp and go to Settings, select Linked Devices, review the list of active sessions, and log out of anything you don’t recognize.
“They remain active until manually revoked. If there is no habit of checking the list of connected WhatsApp devices, an attacker can remain connected for a long time,” the report reads.
The researchers warn that device linking can also be initiated by scanning a QR code, and recommend that users treat any similar requests as suspicious.
However, they also urge platforms to review the device linking flow by adding clearer messaging, better context, such as showing device type, browser, approximate location, and the fact that the request originated from the website.
“Rate-limiting device linking attempts, especially those that involve many different phone numbers from the same infrastructure, would raise the cost for attackers,” the report suggests.
These attacks are not limited to WhatsApp – many other apps and services that allow device pairing through QR or numeric codes might also be vulnerable to this technique, which gives attackers access with minimal technical work.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked