Beware! This WhatsApp scam hijacks accounts without OTPs
What's the story
A new and sophisticated scam targeting WhatsApp users has been discovered. Dubbed GhostPairing, the campaign exploits the app's device-linking feature to gain complete access to victims' accounts. Cybersecurity experts have warned that this method allows attackers to hijack accounts without stealing passwords, SIM cards, or verification codes. Unlike traditional hacks, GhostPairing relies on social engineering and is hard to detect.
Scam mechanics
How the ghostpairing scam operates
The GhostPairing scam starts with a seemingly innocent message from a trusted contact, like "Hey, I just found your photo!" The message contains a link that displays as a Facebook-style preview inside WhatsApp. Clicking on it takes users to a fake webpage mimicking the Facebook photo viewer and asking them to "verify" before seeing the content.
Verification trap
Fake page triggers WhatsApp's device-pairing process
The fake page in the GhostPairing scam triggers WhatsApp's official device-pairing process. Users are asked to enter their phone number, after which WhatsApp generates a numeric pairing code. The fraudulent page then instructs users to enter this code in WhatsApp, passing it off as a routine security check. By doing so, victims unknowingly approve the attacker's device and grant them full access to their account.
Access granted
GhostPairing allows real-time access to messages
Once the victim enters the code, the attacker gets full WhatsApp Web access. They can read messages, download media, send texts as if they were the victim and receive new messages in real time. The most alarming part is that while this happens, the victim's phone continues to work normally. This makes it hard for users to detect a breach and take necessary action.
Rapid propagation
GhostPairing spreads through trusted networks
The GhostPairing scam was first spotted in Czechia, but experts warn it could go global. Compromised accounts are used to send the same deceptive links to contacts and group chats, exploiting existing trust networks instead of relying on mass spam campaigns. Cybersecurity researchers have stressed that this method doesn't bypass encryption or exploit software flaws but takes advantage of legitimate features working as designed.
Scam longevity
Persistence and user protection
Linked devices in the GhostPairing scam stay active until manually removed by the user. This means a compromised account could remain exposed indefinitely. To protect against this threat, users are advised to regularly check Settings > Linked Devices in WhatsApp and remove any unfamiliar sessions. They should also be cautious of requests to scan QR codes or enter pairing codes from websites, enable two-step verification for added security, and verify unexpected messages carefully even if they appear genuine.