New Delhi: The Indian Computer Emergency Response Team (CERT-In) has issued an urgent advisory regarding a new cyberattack dubbed “GhostPairing.” This campaign allows hackers to hijack WhatsApp accounts and monitor conversations in real-time without needing a password, OTP, or a SIM swap.
What is ‘GhostPairing’?
GhostPairing is a social engineering attack that exploits WhatsApp’s legitimate “Linked Devices” feature. Instead of breaking encryption, attackers trick users into manually authorizing the hacker’s browser as a “ghost” device.
How the Hijack Works
The attack is designed to look like a routine security or photo verification process:
- The Lure: Victims receive a message from a trusted contact (whose account is already compromised) saying, “Hi, check this photo.”
- The Fake Site: Clicking the link leads to a fake webpage mimicking a Facebook or WhatsApp viewer. It asks the user to “verify” their identity to see the content.
- The Trap: The site prompts the user for their phone number. Behind the scenes, the attacker uses this number to initiate a “link with phone number” request on the official WhatsApp Web.
- The Code: WhatsApp sends a legitimate 8-digit pairing code to the victim’s phone. The fake website then instructs the victim to enter that code into their WhatsApp app to “confirm” the identity check.
- The Access: Once the code is entered, the attacker’s browser is instantly linked. They gain full access to synced messages, media, and the ability to send messages as the victim.
Impact of the Hijack
Unlike a typical hack, you are not logged out of your phone. The attacker remains a “silent partner,” able to:
- Read all historical and incoming messages.
- View and download photos, videos, and voice notes.
- Impersonate you to send the same scam link to your family and friends.
- Monitor your activity for potential extortion or further social engineering.
How to Protect Yourself
CERT-In recommends several immediate steps for all users:
- Manual Audit: Regularly check Settings > Linked Devices. If you see any unrecognized device or browser, log it out immediately.
- Avoid Verification Links: WhatsApp will never ask you to enter a pairing code to “view a photo” or “verify identity” on a website.
- Enable Two-Step Verification (2FA): Set up a 6-digit PIN in Settings > Account > Two-step verification to add a layer of security that prevents unauthorized access.
- Stay Skeptical: Treat unusual requests from known contacts with suspicion; always verify via a separate call or message if something feels off.