WhatsApp Account Hijacking Campaign Exploits Device Linking
Full Transcript
Threat actors are abusing WhatsApp's legitimate device-linking feature to hijack accounts in a campaign dubbed GhostPairing. This attack method does not require authentication, as victims are tricked into linking the attackers' browser to their WhatsApp account through deceptive messages.
According to Gen Digital, formerly known as Symantec Corporation and NortonLifeLock, the campaign was first identified in Czechia but has the potential to spread globally, using compromised accounts as gateways to reach new targets.
The attack begins with a message from a known contact, containing a link that appears to lead to an online photo of the victim. The link is misleading, displayed as a content preview from Facebook, but directs victims to a fake Facebook page hosted on typosquatted domains, where they are prompted to verify their identity by logging in.
This deceptive page initiates WhatsApp's device-pairing workflow, asking for the victim's phone number, which the attacker uses to start the legitimate linking process. WhatsApp generates a pairing code that the attacker presents on the fake page, and victims are then prompted to enter this code, granting the attacker full access to their account without any need to bypass security.
Once linked, attackers can view messages in real-time, access shared media, and potentially impersonate users or commit fraud. Gen Digital emphasizes that victims may remain unaware that a second device has been added, allowing criminals to monitor conversations undetected.
Users are advised to check for unauthorized devices linked to their accounts under Settings Linked Devices and to enable two-factor authentication for added protection. They should also scrutinize messages received, especially those that urge quick action, to avoid falling victim to such scams.
It's important to note that this device linking feature is not unique to WhatsApp and has been exploited by Russian threat actors in the past to gain access to Signal accounts.