You can often summarize cybersecurity as “same things, different day.” Attacks change, but rarely so dramatic that you can’t see the familiar methodology underneath. The latest example: bad actors exploiting the WhatsApp device tethering process to infiltrate the accounts of unsuspecting users.
As detailed by antivirus maker Gen Digital, the parent company of Norton, Avast, and AVG, This “GhostPairing” campaign It relies on tricking unsuspecting users into helping hackers log into their WhatsApp account (h/t BleepingComputer). It’s a variation of a phishing attack, and it works as follows:
- You receive a WhatsApp message from one of your known contacts.
- They tell you they found a photo of you online, and include a link.
- The link preview is supposed to show a Facebook page, but it’s actually a fake site.
- When you click on the link, you will be asked to verify your account to see the image.
- The fake site then asks for your phone number.
- Once received, the attacker initiates the login process on their end. The real verification code will be sent to your phone.
- The fake site then asks for this login code.
- If you enter the code, this information will be captured and then used to complete the device linking process.
Victims who fall prey to this attack will think they are verifying the account for Meta purposes, but are actually going through a legitimate login process.
Once a hacker has access to your account, they can see all your existing messages and any new incoming messages. They can also send messages on your behalf to contacts to further the cycle of snooping on others for sensitive data.
Example of a fake Facebook login verification screen, captured by Gen Digital.
General Digital
Fortunately, this type of attack is not new, which means you can identify it more easily. First, it depends on unquestioning faith in your contacts – that you trust that they will only send you impenetrable links.
Second, it follows a similar pattern to the most common phishing attempts. You click on a fraudulent link, then enter the necessary login information to a fake (but convincingly real) site. These credentials are captured and used by the attacker. The main difference here is that instead of recording your password (which can then be used for subsequent credential stuffing attacks) and stealing two-factor authentication codes, this malicious campaign adapts to your WhatsApp login method.
Third, he tells about himself through strange behavior. In a normal scenario, you will not be able to verify your access to Facebook content using your WhatsApp login details. The attacker hopes that you are not paying too much attention to what is happening!
To avoid falling for this dirty trick, don’t trust. Do not interact with the link. Instead, if it’s someone you know, contact them through a different method, such as a phone call or a different messaging app, and ask them what’s up. (Pun mildly intended.) If you don’t know them well, ignore the message. In general, do not share login codes with sites until you are sure that the site is indeed official.
If you’re concerned about someone having access to your WhatsApp account, you can check to see which phones, tablets and/or computers are connected by heading to Settings > Associated devices. You can also perform a similar scan for many major services, such as Google, Apple, Microsoft, Facebook, and more. I always recommend taking a peek every now and then, just to make sure you’re locked in and safe.