A new cyberattack campaign is putting the WhatsApp accounts of thousands of users at risk using a technique called Ghost Pairinga method that allows criminals to take control of the application without stealing passwords or duplicating SIM cards. Unlike other digital scams, in this case it is the victim himself who unknowingly authorizes the attacker’s access by linking his account to an external browser controlled by a third party.
As security researchers at Gen Digital explain, the attack is based on a legitimate WhatsApp feature: the ability to link the main account to other devices, e.g WhatsApp web or the Windows application. This tool, intended to facilitate access from multiple computers, becomes a user’s weak point Cybercriminals exploit social engineering.
The scam begins with a seemingly innocuous message received from a known contact of the victim. In the text, The sender claims to have found a photo that shows the person and invites you to review the content via a link. The tone of the message is usually informal and credible, which reduces initial suspicion and increases the likelihood that the user will click.
By accessing the link, the victim is redirected to a page that Mimics the look and feel of a Facebook login screen. There you will be asked to enter your phone number. After this step, the site will ask you to confirm access by scanning a QR code with WhatsApp or entering a numeric code sent to the device. While both options legitimately exist, researchers note that the numeric code method is the most commonly used in this campaign.
What the user doesn’t realize is that by completing these steps they are following the exact process Device pairing from WhatsApp. You inadvertently authorize your account to connect to a new browser that actually belongs to the cybercriminal. The action is completely valid for WhatsApp: the system interprets that the account holder deliberately added a new device.
This mechanism gives the attack its name: Ghost Pairing or “ghost mating.” Nothing unusual will happen in the eyes of the user as your application will continue to function normally on the phone. However, the attacker already has access to the account in the background via WhatsApp Web.
Once inside, the cybercriminal has virtually the same options as any legitimate browser user. Can Read conversation history, receive messages in real time, download documents, images and videosand also send messages on behalf of the victim. This last feature is key to expanding the attack, as it allows other users of the address book to be contacted with the same original “photo” message, thus spreading the campaign automatically and credibly.
One of the most worrying aspects of GhostPairing is this does not require theft of credentials even more sophisticated techniques like SIM swap. Everything is based on deception and abuse of official platform tools. This makes the attack more difficult to detect, both for users and automated security systems.
Experts recommend taking extreme precautions against unexpected messages that contain links, even if they come from known contacts. In addition, it is important to check the section of regularly connected devices Within WhatsApp, you can check for undetected access and close suspicious sessions immediately.
GhostPairing shows once again that the biggest weak point is not always in the technology, but in the trust of the user.
About The Author
