A new and refined scam dubbed “Ghost Pairing” is making the rounds on WhatsApp, putting millions of users at risk of account takeover.Unlike previous methods relying on stolen one-time passwords or SIM swaps, this scheme exploits a device-linking feature to gain access to accounts without those common security measures [[2]]. Cybersecurity experts warn that the scam’s effectiveness lies in its ability to appear legitimate, frequently enough originating from compromised contacts and prompting users to enter verification codes on fraudulent websites [[1]].
- A new scam is circulating on Whatsapp.
- Victims receive messages with a link to alleged photos and are prompted to enter their phone number.
- Those who enter the requested verification code lose control of their Whatsapp account.
A new scam targeting Whatsapp users is gaining traction, prompting warnings about potential account takeovers. The scheme involves unsolicited messages containing a link purportedly leading to photos, but instead directs users to a malicious website.
Upon clicking the link, users are asked to input their phone number and then confirm a verification code – a code legitimately sent by Whatsapp. However, entering this code grants attackers control of the user’s account. This latest threat underscores the growing sophistication of phishing attacks and the importance of vigilance when interacting with unexpected messages.
Ghost Pairing: The Method Behind the Attack
The attack leverages a Whatsapp feature designed for device linking, typically used to access the platform on devices like laptops. Cybersecurity firm Gen Digital has identified the technique, dubbed “Ghost Pairing,” as a key component of the scam. Instead of requiring a QR code for linking, the scam bypasses this security measure by only requesting the user’s phone number.
Victims are directed to a phishing page where they are prompted to enter their number, then receive a Whatsapp verification code. Once entered on the fake site, the account is linked to the attacker’s device. This allows the scammer full access to the victim’s messages, media, and the ability to send messages under the victim’s name, potentially extending the scam to their contacts.
Apparent Sender Credibility is a Key Tactic
The scam is particularly effective because messages often appear to originate from a trusted contact. In many cases, the sender’s account has already been compromised, lending a false sense of security to the link. This tactic significantly increases the likelihood of users falling victim to the scheme. Gen Digital notes this is a primary reason for the scam’s success.
The following web addresses have been identified as being used by the scammers:
Photobox.life
Postsphoto.life
Yourphoto.life
Photopost.live
Yourphoto.world
Top-foto.life
Fotoface.top
Facesworld.life
Users should immediately delete and avoid clicking on any messages containing these URLs. Furthermore, individuals should never share verification codes, as Whatsapp only sends these codes during new device registrations. Receiving an unsolicited code should be treated as a major red flag.
Have you or someone you know been affected by cybercrime?
Here you can find help:
Reporting Agencies:
Educational Resources:
Jonas Bucher is Deputy Head of the News Desk at 20 Minutes, with 25 years of experience in the media industry.
