Threat actors are abusing the legitimate device-linking feature to hijack WhatsApp accounts via pairing codes in a campaign dubbed GhostPairing.
This type of attack does not require any authentication, as the victim is tricked into linking the attacker’s browser to a WhatsApp device.
By doing so, threat actors gain access to the full conversation history and shared media, and may leverage information to impersonate users or commit fraud.
Gen Digital (formerly Symantec Corporation and NortonLifeLock) says that the campaign was first spotted in Czechia but warns that the propagation mechanism allows it to spread to other regions, with compromised accounts acting as springboards to reach new targets.
How GhostPairing works
The attack starts with a short message from a known contact, sharing a link allegedly leading to an online photo of the victim. To instill some trust, the link is displayed as a content preview from Facebook.
Malicious message sent to the target
Source: Gen Digital
Furthermore, the link takes the victim to a fake Facebook page hosted on typosquatted or similar-looking domains, which informs that users need to be verified by logging in before accessing the content.
The verification page is deceptive and actually triggers WhatsApp’s device-pairing workflow. Victims are asked for their phone number, which the attacker uses to initiate a legitimate device-linking or login process.
... continue reading