GhostPairing

Recently, the Indian Computer Emergency Response Team (CERT-In) issued an advisory warning WhatsApp users about an active cyber threat campaign that uses a new attack technique known as GhostPairing. This method allows cybercriminals to take control of WhatsApp accounts without the user’s knowledge or authorization.

What is GhostPairing?

GhostPairing is a sophisticated WhatsApp account takeover technique in which hackers secretly link their own device to a victim’s WhatsApp account.

• The attack gives near-complete access to the victim’s WhatsApp account.

• It does not require passwords, SIM swapping, or physical access to the victim’s phone.

• Hackers exploit the WhatsApp multi-device pairing feature by tricking users into sharing pairing codes.

Important Point: Victims often remain unaware that their WhatsApp account has been compromised.

How GhostPairing Works (Modus Operandi)

1. Initial Lure Message
   Victims receive a message from a trusted contact saying, “Hi, check this photo.”

2. Malicious Link with Social Media Preview
   The message contains a malicious link that displays a Facebook-style preview, making it appear legitimate.

3. Fake Verification Page
   Clicking the link redirects users to a fake Facebook content viewer, which asks them to “verify” to view the content.

4. Extraction of Pairing Credentials
   Victims are prompted to enter their phone number and WhatsApp pairing code.

5. Account Takeover
   By entering these details, victims unknowingly link the attacker’s device to their WhatsApp account, granting hackers full control.

Impact of GhostPairing Attacks

• Hackers can read messages, send messages, access contacts, and monitor communications.

• Compromised accounts can be used to spread malware, conduct financial fraud, or target additional victims.

• The attack exploits social engineering, rather than technical flaws, making it harder to detect.

Role of CERT-In

The Indian Computer Emergency Response Team (CERT-In) functions under the Ministry of Electronics and Information Technology (MeitY).

• It is responsible for handling cyber security incidents, issuing advisories, and strengthening India’s cyber resilience.

• CERT-In has advised users to avoid clicking suspicious links, never share verification or pairing codes, and enable additional security settings on WhatsApp.

Preventive Measures for Users

• Do not click on unknown or suspicious links, even if they appear to come from trusted contacts.

• Never share WhatsApp pairing or verification codes with anyone.

• Regularly check linked devices in WhatsApp settings and remove unknown devices.

• Enable two-step verification on WhatsApp for additional protection.

Conclusion

GhostPairing highlights the growing sophistication of cyber attacks that exploit user trust and social engineering rather than technical vulnerabilities. The CERT-In advisory underscores the need for digital awareness, cautious online behaviour, and proactive security practices to protect personal communication platforms like WhatsApp.