GhostPairing allows cybercriminals to take complete control of WhatsApp accounts without needing passwords or SIM swaps, CERT-In said. “In a nutshell, the GhostPairing attack tricks users into granting an attacker’s browser access, as an additional trusted and hidden device, by using a pairing code that looks authentic,” it added.

CERT-In’s advisory on the WhatsApp account takeover campaign comes nearly a month after the Department of Telecommunications (DoT) ordered online messaging platforms such as WhatsApp, Signal, and Telegram to mandate continuous SIM binding of user accounts over the next few months. This means that users will not be able to access these apps on devices that do not contain the active SIM linked to their accounts.

More importantly, users of companion web instances (such as WhatsApp Web) will be logged out every 6 hours and required to re-link their accounts via QR codes. The DoT’s SIM-binding directive is meant to curb rising digital fraud, specifically those scams that are perpetrated by hijacking victims’ accounts on messaging apps like WhatsApp.

In October this year, the Indian Cybercrime Coordination Centre (I4C) under the Ministry of Home Affairs said it had identified a transnational crime trend in which scammers use ads on Facebook and Instagram to trick victims into linking their WhatsApp accounts to the platforms.

However, the SIM-binding directive has also drawn criticism from lawyers and digital rights advocates, who fear that continuous SIM-binding would threaten users’ privacy and complicate access for messaging platform users across multiple devices, especially in professional settings. Cybersecurity experts have also noted that SIM binding could face several technical hurdles during implementation.

Modus operandi of GhostPairing

WhatsApp lets users access chats on their laptop or tablet by linking the device to the app on their phone. Currently, there is no limit to how many devices can be linked to a WhatsApp account.

Users can link a device to their WhatsApp account by either scanning a QR code or entering the code displayed on the device they want to connect. CERT-In has said that the emerging malicious WhatsApp account takeover campaign known as GhostPairing begins with victims receiving a message from a trusted contact that reads: “Hi, check this photo”.

– The message contains a link with a Facebook-style preview.
– The link leads to a fake Facebook viewer that prompts users to “verify” to see the content.
– Then, the attackers attempt to trick potential victims into entering their phone number and code.

“By following a short, seemingly harmless sequence of steps, victims unknowingly grant attackers full access to their WhatsApp accounts, without any password theft or SIM swapping,” CERT-In said in its advisory.

Once the WhatsApp account is successfully linked to the device, threat actors can access all chats and features available in the web version of WhatsApp. This includes read messages, new messages in real-time, photos, videos, and voice notes.

Attackers can also impersonate victims and send messages to their contacts and group chats, as per the nodal cybersecurity agency.

What steps can users take to protect themselves?

CERT-In has recommended the following actions to mitigate risks associated with account compromise or takeovers:

For individual users:

– Do not click suspicious links even if they come from known contacts.
– Never enter your phone number on external sites claiming to be WhatsApp/Facebook.
– Check Linked Devices regularly in WhatsApp. You can do this by clicking on WhatsApp > Settings > Linked Devices. If you see any device you don’t recognise, log out the session immediately.

For organisations using WhatsApp:

– Provide security awareness training focused on messaging app attacks.
– Enforce mobile device management (MDM) where applicable.
– Monitor for indicators of phishing and social engineering.
– Establish protocols for rapid detection and remediation.