Security experts are warning of a new WhatsApp takeover scam that is seeing attackers gain access to contacts, photos, and messages, all without stealing passwords or breaking encryption.
“GhostPairing is a new WhatsApp account takeover campaign uncovered by Avast researchers that doesn’t rely on stolen passwords or SIM-swapping,” Stephen Kho, Cyber Security Expert for Avast, told Cyber Daily.
“Instead, it tricks people into completing what looks like a normal verification step, which actually links the attacker’s device to their account using WhatsApp’s own pairing feature.”
Typical GhostPairing messages appear to come from a trusted contact, and may contain a prompt as simple as “Hey, I found your photo” alongside a link for users to click on. This leads to a fake “Facebook-style page” that asks users to verify their accounts. Victims are then given a legitimate sharing code, which adds an attacker’s browser as an authenticated, linked device.
“Once that happens, the attacker gains full access to the victim’s messages, photos and voice notes, while the phone continues to work normally. Because the compromise is silent, many people don’t realise someone else is connected to their account unless they check their linked devices.”
Kho said this technique is well-suited to scam operators as it allows one set of fake infrastructure to be used and reused at scale. The data harvested via the attack can then be used to create more targeted scams, impersonate victims, and create “other forms of fraud”.
“GhostPairing is a good example of how cyber criminals are shifting away from breaking security systems and instead abusing the trusted approval flows people see every day, such as QR codes and device pairing prompts,” Kho said.
The simplicity and effectiveness of the attack is amplified by Australian messaging habits. According to Avast’s own research, 97 per cent of Australians are online, and nearly half of all Aussies over 16 use WhatsApp. Active users open the platform almost 200 times a month, giving scammers ample time to and opportunities to target users as malicious links spread through conversations.
What you need to know to stay safe
There are three simple steps any WhatsApp user can take to protect themselves from GhostPairing and similar attacks:
- Check settings: On your device, open WhatsApp and go to Settings > Linked Devices. If you find anything unfamiliar, delete it immediately.
- Be wary: Treat every request from a website to enter a pairing code or scan a QR code as potentially suspicious.
- Enable 2FA: Turn on two-step verification and make sure to share the same advice with friends, family, and any members of regularly used group chats.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.