A sophisticated new threat, dubbed ‘GhostPairing,’ is actively abusing WhatsApp’s legitimate multi-device linking feature to hijack user accounts. This campaign leverages a clever social engineering tactic combined with the functionality designed for user convenience to gain unauthorized access to WhatsApp accounts. The multi-device feature allows users to link their WhatsApp account to multiple devices, such as a web browser or desktop application, without needing their phone to be online. While this feature enhances flexibility for users, it has become a vector for this new account hijacking scheme. The GhostPairing campaign begins with attackers initiating a WhatsApp registration on a new device. During this process, WhatsApp sends a six-digit verification code to the victim’s primary phone. The critical step in the attack involves tricking the victim into revealing this one-time password (OTP). Attackers employ social engineering techniques, often posing as legitimate entities or contacts, to convince users to share this code. Once the attacker obtains the verification code, they can register their device as a linked device for the victim’s WhatsApp account. This effectively grants them full access to the victim’s chat history, contacts, and the ability to send messages as the victim. The unauthorized access can lead to significant privacy breaches, financial fraud, and further social engineering attacks targeting the victim’s contacts. The GhostPairing technique exploits user trust and the inherent design of the multi-device linking process. While WhatsApp has security measures in place, such as end-to-end encryption, the vulnerability lies in the human element—the user being tricked into divulging sensitive information. The campaign highlights the persistent challenge of phishing and social engineering in the digital age, where attackers constantly adapt their methods to bypass security protocols. Users are typically unaware their account has been compromised until they notice unusual activity or are locked out of their own WhatsApp. The success of GhostPairing underscores the importance of exercising extreme caution when sharing any verification codes, regardless of how convincing the request may seem. No legitimate service or representative will ever ask for your one-time passwords or verification codes directly. Organizations and individual users are urged to educate themselves about these types of attacks and reinforce best practices for digital security. This includes being skeptical of unsolicited requests for personal information, verifying the identity of anyone asking for codes, and enabling additional security features like two-step verification (2FA) if available. Two-step verification adds an extra layer of security by requiring a PIN in addition to the verification code, making it significantly harder for attackers to gain access even if they manage to steal the initial OTP. The GhostPairing campaign serves as a stark reminder that even well-designed security features can be turned into vulnerabilities through sophisticated social engineering. Protecting oneself against such threats requires constant vigilance and adherence to security best practices. The campaign highlights how attackers are continuously finding new ways to exploit features designed for user convenience.

Source: https://securityaffairs.com/185814/hacking/ghostpairing-campaign-abuses-whatsapp-device-linking-to-hijack-accounts.html