Hackers can take over your WhatsApp account with this sneaky trick

Cybersecurity can often be described as “the same old thing, another day.” Attacks change, but rarely so dramatically that the familiar methodology is no longer visible. The latest example is where attackers are using WhatsApp's device linking process to break into the accounts of unsuspecting users.

As detailed antivirus software manufacturer Gen Digital, parent company of Norton, Avast and AVG, this “GhostPairing” campaign relies on tricking unsuspecting users to help hackers get into their WhatsApp account (h/t PipComputer). This is a variation on phishing attackand it works like this:

1. You receive a WhatsApp message from one of your known contacts.
2. They tell you they found your photo online and add a link.
3. The link preview supposedly shows a Facebook page, but it is actually a fake site.
4. When you click on the link, you will be asked to verify your account in order to see the photo.
5. The fake site then asks for your phone number.
6. Once received, the attacker begins the login process on their end. A real verification code will be sent to your phone.
7. The fake site then asks for this login code.
8. If you enter a code, this information is captured and then used to complete the device pairing process.

Victims who fall victim to this attack will believe that they are verifying the account for Meta purposes, but in reality they are going through a legitimate login process.

Once a hacker gains access to your account, they will be able to see all of your existing messages and any new incoming messages. They can also send messages on your behalf to contacts to continue the cycle of spying on others for sensitive data.

Fortunately, this type of attack is not new, which means it will be easier for you to recognize. First, it is based on unconditional faith in your contacts – that you are confident that they will only send you uncompromising links.

Second, it follows the same pattern as more typical phishing attempts. You click on the fraudulent link and then enter the required login information to the fake (but convincingly real) site. These credentials are intercepted and used by the attacker. The main difference here is that instead of recording your password (which can then be used in subsequent credential stuffing attacks) and stealing two-factor authentication codes, this malicious campaign adapts to the WhatsApp login method.

Thirdly, it affects oneself with strange behavior. Normally, you won't verify your access to Facebook content using your WhatsApp login details. The attacker hopes that you are not watching too closely!

To avoid falling for this dirty trick, be distrustful. Do not interact with the link. Instead, if it's someone you know, contact them in another way, such as by phone or another messaging app, and ask how they're doing. (Pun intended.) If you don't know them well, ignore the message. In general, do not provide login codes to sites until you have confirmed that the site is indeed official.

If you are concerned that someone may have access to your WhatsApp account, you can check which phones, tablets and/or computers are connected by going to Settings > Associated devices. You can also perform a similar check for many major services such as Google, Apple, Microsoft, Facebook and others. I always recommend checking in every now and then just to make sure you're locked and safe.