A cybersecurity company has warned of a new phishing scam targeting WhatsApp users, which begins with a message that appears ordinary from a trusted contact, but can end with full control of the account without stealing passwords or intercepting verification codes.
A report from Gen Digital revealed that the attack, known as GhostPairing, relies on exploiting the official "device linking" feature in WhatsApp, through a deceptive method that convinces the user to agree by themselves to link a device owned by the attacker to their account.
The report explained that the process begins with a short message reaching the victim, containing a link in the form of a preview similar to Facebook links, which prompts the user to click on it without suspicion. Once the link is opened, the user is directed to a fake page that requests "verification" before displaying the content.
It noted that the verification step actually activates the WhatsApp device linking process, where the user is asked to enter their phone number, prompting the app to generate a specific numeric code for linking, and then the victim is further asked to enter the code inside WhatsApp as a routine security measure, while in reality, it grants the attacker access to the account.
The report pointed out that entering the code allows the hackers to have full access to the account via "WhatsApp Web," including reading conversations, receiving new messages in real time, downloading media, and sending messages in the user's name, while the phone continues to function normally without clear indications of the hack.
It added that this campaign was first detected in the Czech Republic but is capable of spreading rapidly to other countries, due to its reliance on trust between contacts, where hacked accounts are used to re-send the deceptive message to friends and groups.
Researchers confirmed that the GhostPairing trick does not depend on breaking encryption or exploiting software vulnerabilities, but is based on social engineering and using legitimate features that function as designed, making it harder to detect, especially since the linked devices remain active until the user manually removes them.
Cybersecurity experts advised WhatsApp users to regularly review the settings section and then the linked devices, delete any unknown sessions, avoid entering linking codes or scanning QR codes based on requests from external sites, activate two-step verification, and verify any unexpected messages even if they come from known contacts.
