A newly discovered account takeover campaign targeting WhatsApp users demonstrates how attackers can compromise messaging accounts without stealing passwords or exploiting technical vulnerabilities.
The threat, identified as the GhostPairing Attack, uses social engineering and WhatsApp’s legitimate device linking feature to grant attackers complete access to victim accounts.
The campaign first emerged in Czechia but shows no geographic limitations, with attackers using reusable kits to scale their operations across multiple countries and languages.
The attack begins when victims receive messages from known contacts, typically suggesting they have found a photo. The message includes a link designed to appear as a Facebook content viewer.
.webp "New GhostPairing Attack Let Attackers Gain Full Access in WhatsApp with Phone Number 2")
When users click the link, they encounter a fake Facebook-themed page requesting verification before accessing content.
This familiar interface creates a false sense of legitimacy that encourages users to complete the verification process without questioning its authenticity.
Gen Digital analysts and researchers discovered that the attack exploits WhatsApp’s device pairing feature, which allows users to link additional devices such as web browsers and desktop applications to their accounts.
Rather than relying on technical exploits or credential theft, attackers trick users into willingly approving an unauthorized device connection.
Infection mechanism
The infection mechanism relies on WhatsApp’s phone number and numeric pairing code flow, making this attack particularly effective.
When users enter their phone number on the fake page, the attacker’s infrastructure intercepts the request and forwards it to WhatsApp’s legitimate device linking endpoint.
.webp "New GhostPairing Attack Let Attackers Gain Full Access in WhatsApp with Phone Number 4")
WhatsApp generates a pairing code intended only for the account owner, but the attacker’s website displays this code to the victim alongside instructions to enter it in WhatsApp to complete the login verification.
From the victim’s perspective, this appears identical to standard two-factor authentication. Once the victim enters the code in their actual WhatsApp application, they unknowingly approve the attacker’s browser as a linked device.
.webp "New GhostPairing Attack Let Attackers Gain Full Access in WhatsApp with Phone Number 5")
The attacker now has persistent access to all historical conversations, incoming messages, photos, videos, and sensitive information shared in the account, while remaining completely invisible to the account holder.
The persistent nature of this access makes the attack particularly dangerous. Unlike traditional account hijacking that locks out legitimate users, GhostPairing allows attackers to observe conversations and gather intelligence indefinitely.
Compromised accounts become propagation vectors, enabling attackers to send the same lure messages to the victim’s contacts, creating a snowball effect that multiplies the attack’s reach.
Users can protect themselves by regularly checking their linked devices in WhatsApp Settings and removing unknown sessions, treating any external requests to scan QR codes or enter pairing codes as immediately suspicious, and enabling Two-Step Verification for additional account security.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
