Beware of the New WhatsApp Threat: The GhostPairing Account Takeover Scheme
High-Severity Advisory Issued by CERT-In
New Delhi: The Indian cyber security agency, CERT-In, has raised alarms regarding a serious WhatsApp account takeover scheme known as 'GhostPairing', which exploits the app's device-linking functionality.
Understanding the GhostPairing Attack
The advisory details that GhostPairing employs social engineering tactics, where attackers utilize WhatsApp’s legitimate 'link device via phone number' process alongside misleading websites. This allows them to add their browser or desktop as an additional linked device to a victim's account. Victims are misled into completing the pairing process themselves, eliminating the need for passwords, SMS OTPs, or SIM swaps, and it does not rely on any zero-day vulnerabilities in WhatsApp.
How the Attack Unfolds
Reports indicate that an attack typically begins with a message like 'Hi, check this photo,' sent from what seems to be a trusted contact. This message includes a link that appears to have a Facebook-style preview. When the recipient clicks the link, they are redirected to a fraudulent content viewer page that prompts them to 'verify' their identity to access the media, subsequently asking for their phone number.
The Mechanics Behind the Attack
The attacker’s website then forwards the entered phone number to WhatsApp’s 'link with phone number' feature, generating a one-time pairing code intended solely for the account owner. The malicious site then displays this legitimate code back to the victim, instructing them to 'enter this in WhatsApp to confirm' the login. The victim is led to open WhatsApp, navigate to Linked Devices, and input the code, mistakenly believing they are completing a security verification to view the photo.
Consequences of the Attack
Once the victim inputs the valid pairing code into their WhatsApp application, the attacker’s device is added as an authorized linked device without needing direct authentication in the victim’s app. Consequently, the attacker can access synchronized chats and media, receive new messages almost instantly, and send messages to both individual contacts and group chats. This functionality closely resembles standard WhatsApp Web usage, while the original account holder continues to use their account on their mobile device.
Security Implications and User Recommendations
Security experts have cautioned that this method effectively transforms WhatsApp’s multi-device feature into a covert surveillance and impersonation tool, as many users seldom check the 'Linked Devices' list and may overlook an unfamiliar session. However, the attacker’s device is not hidden; it appears as another linked device, and users can revoke access at any time by removing unknown sessions from the Linked Devices section.
Advice from CERT-In and Security Experts
CERT-In and security professionals recommend that users:
- Avoid clicking on unsolicited or suspicious links, even if they appear to come from known contacts.
- Never input their WhatsApp phone number or any pairing code on external websites claiming to be WhatsApp, Facebook, or media viewers.
- Regularly check and remove unfamiliar devices from the WhatsApp 'Linked Devices' menu to prevent unauthorized access.
Awaiting WhatsApp's Response
As of the latest updates, a formal public response from WhatsApp regarding this specific GhostPairing advisory from CERT-In is still pending.