Avast cybersecurity researchers explained that the scam, known as GhostPairing, relies on using legitimate features within the application to deceive users and link their accounts to a device controlled by the attacker, giving him direct access to messages, photos, video clips, and voice notes.

The process begins by sending the victim a message that appears to come from a trusted contact, and includes a link that usually claims to display an image. This link leads the user to a fake Facebook login page asking him to enter his phone number.

Instead of displaying the alleged content, the page activates the “link devices” feature in WhatsApp, by displaying a code that the victim is asked to enter within the application.

Unbeknownst to the user, this leads to an unknown device being linked to the account, giving the attacker full access without the need for a password or any other credentials.

Once under control of the account, the hacker can send messages to the victim’s contacts, exploiting mutual trust to spread the attack and carry out additional hacking operations on a larger scale.

Luis Corrones, a security expert at Avast, said that this campaign “reflects a growing shift in cybercrime, where exploiting users’ trust has become no less important than penetrating the technical systems themselves.”

He added that scammers “convince users to grant access themselves, by abusing familiar tools such as QR codes, device link requests, and seemingly routine verification screens.”

He pointed out that fraud of this type “does not represent a problem specific to WhatsApp alone, but rather constitutes a warning to any platform that relies on connecting devices quickly and without sufficient explanation to the user.”

In this context, Avast called on WhatsApp users to periodically check the devices linked to their accounts by going to “Settings” and then “Associated Devices”, with the need to remove any unknown device immediately.

Corones concluded by stressing that “the development of fraudulent methods requires rethinking authentication mechanisms, so that they are not limited to what the user does intentionally, but also take into account what can be tricked into doing, especially when automatic trust in devices turns into an exploitable weakness.”

Source: Independent