New Delhi: India’s Computer Emergency Response Team (CERT-In) has issued an advisory about an active threat campaign targeting WhatsApp users in the country.
The attack involves a new technique known as GhostPairing, where cyber crooks hijack WhatsApp accounts by exploiting the popular instant messaging platform’s device-linking .
CERT-In has said that the threat actors are able to take over WhatsApp accounts without authorisation by tricking potential victims into entering the pairing codes.
The Indian cybersecurity watchdog said in an advisory with ‘High’ severity rating on December 19, as per The Indian Express.
GhostPairing allows cybercriminals to take complete control of WhatsApp accounts without needing passwords or SIM swaps, CERT-In said.
“In a nutshell, the GhostPairing attack tricks users into granting an attacker browser access, as an additional trusted and hidden device, by using a pairing code that looks authentic,” it added.
Nearly a month ago, the Department of Telecommunications (DoT) ordered online messaging platforms like WhatsApp, Signal, and Telegram to mandate continuous SIM-binding of user accounts in the next few months. This means that users will not be able to access these apps on devices that do not contain the active SIM linked to their accounts.
More importantly, users of companion web instances (such as WhatsApp Web) will be logged out every six hours and made to re-link their accounts using QR codes. The DoT’s SIM-binding directive is meant to curb rising digital fraud, specifically those scams that are perpetrated by hijacking victims’ accounts on messaging apps like WhatsApp.
In October this year, the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs, said it has identified a transnational crime trend, where scammers use ads on Facebook and Instagram to trick victims into linking their WhatsApp accounts with their platform.
However, the SIM-binding directive has also drawn criticism from lawyers and digital rights advocates, who fear that continuous SIM-binding would threaten users’ privacy and complicate access for those using messaging platforms across multiple devices, especially in professional set-ups. Cybersecurity experts have also pointed out that SIM-binding could run into several technical hurdles in implementation.
How does the scam work?
WhatsApp lets users access chats on their laptop or tablet by linking the device to the app on their phone. Currently, there is no limit to how many devices can be linked to a WhatsApp account.
Users can link a device to their WhatsApp account by either scanning a QR code or by entering a code shown on the device they want to connect. CERT-In has said that the emerging malicious WhatsApp account takeover campaign known as GhostPairing begins with victims receiving a message from a trusted contact that reads: “Hi, check this photo”.
– The message contains a link with a Facebook-style preview.
– The link leads to a fake Facebook viewer that prompts users to “verify” to see the content.
– Then, the attackers attempt to trick potential victims into entering their phone number and code.
“By following a short, seemingly harmless sequence of steps, victims unknowingly grant attackers full access to their WhatsApp accounts, without any password theft or SIM swapping,” CERT-In said in its advisory.
Once the WhatsApp account is successfully linked to the device, threat actors are able to access all the chats and features available on the web version of WhatsApp. This includes read messages, new messages in real-time, photos, videos, and voice notes. Attackers can also impersonate victims and send messages to their contacts and group chats, as per the nodal cybersecurity agency.
What steps can be taken by users?
CERT-In has recommended the following actions to mitigate risks associated with account compromise or takeovers:
For individual users:
– Do not click suspicious links even if they come from known contacts.
– Never enter your phone number on external sites claiming to be WhatsApp/Facebook.
– Check Linked Devices regularly in WhatsApp. You can do this by clicking on WhatsApp > Settings > Linked Devices. If you see any device you don’t recognise, log out the session immediately.
For organisations using WhatsApp:
– Provide security awareness training focused on messaging-app attacks.
– Enforce mobile device management (MDM) where applicable.
– Monitor for phishing and social engineering indicators.
– Establish protocols for rapid detection and remediation.
