GhostPairing Attack; WhatsApp accounts at major risk

GhostPairing attack on WhatsApp-GCC Business News
Image Credits: Rahul Shah@Pexels | Cropped by GBN
By Arya M Nair, Content Head
  • Follow author on

A new attack campaign, named GhostPairing, has been identified by researchers, which involves WhatsApp accounts, tricking the victim into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device on the account.

The GhostPairing attack involves a message including a link that appears as a Facebook-style preview. When users open it, they see a page that imitates a Facebook viewer and asks them to “verify” before they can see the content.

These verification steps will give away the WhatsApp user’s account to attackers without hijacking any password. This normal verification-looking theft made cybercriminals find a way to abuse that cross-platform use to bypass the encryption.

GhostPairing Attack-GCC Business News
Image Credits: Antoni Shkraba Studio@Pexels | Cropped by GBN

The GhostPairing has made WhatsApp’s secured end-to-end encryption very vulnerable. WhatsApp’s end-to-end encryption is used when you chat with another person using WhatsApp Messenger. End-to-end encryption keeps your personal messages and calls between you and the person you’re communicating with.

No one outside of the chat, not even WhatsApp, can read, listen to, or share them. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them.

The GhostPairing attack was first noticed in the Czech Republic, where compromised accounts were seen sending short texts, usually with a photo and link that rendered as a Facebook element inside WhatsApp, to local contacts.

What the attacker can do?

The attack, like any other cybercrime, does not involve any ransom demand or money-related or password hijacking. The phone continues to work normally. Many victims are unaware that a second device has been added in the background, which is what makes the scam even more dangerous. Unless the victim goes into Settings and removes unknown devices, the attacker may retain access.

For individuals, the most important actions are simple and do not require technical knowledge.

First, it is worth checking which devices are currently linked:

  • Open WhatsApp
  • Go to SettingsLinked Devices
  • Review the list of active sessions and log out of anything you do not recognize

Doing this once will remove any sessions already created by this sort of scam. Doing it periodically helps catch future problems earlier.

Trending | Group-IB rolls out Cyber Fraud Intelligence Platform

YOU MAY LIKE