A new scam technique has triggered an alert for Indian WhatsApp users as attackers find ways to access accounts without stealing passwords or SIM cards. The method, known as the GhostPairing attack, tricks users into unknowingly approving an extra linked device on their WhatsApp account. Victims usually receive a short message about a photo, along with a link that looks like a Facebook style preview and asks them to “verify” before viewing the content.
When users tap the link, they are taken to a fake viewer page designed to look familiar and trustworthy. The page does not connect to Facebook. Instead, it secretly abuses WhatsApp’s own device linking system. Victims are guided to scan a QR code or enter a numeric pairing code that appears legitimate. By completing these steps, users approve the attacker’s browser as a linked device, giving criminals full access to messages, media and contacts without changing any passwords.
Investigators first observed this campaign in Czechia, where compromised accounts sent similar photo messages to known contacts. The attack uses lookalike domains such as photobox.life, yourphoto.life and postsphoto.life, often with paths that resemble social media login pages. While QR based linking is possible, attackers prefer numeric codes because they can be completed on a single phone and feel like a routine security check. Once linked, attackers can read chats, receive new messages, download photos and videos and send messages as the victim, allowing the scam to spread rapidly through trusted contacts.
Experts warn that GhostPairing is dangerous because it uses legitimate features exactly as designed and creates long lasting access unless users manually remove unknown devices. Users are advised to regularly check Settings and Linked Devices and log out of anything unfamiliar. Any request from a website to scan a QR code or enter a WhatsApp code should be treated as suspicious. While this campaign targets WhatsApp, it also highlights broader risks in device pairing systems across platforms, where a single distracted action can quietly add a hidden device to an account.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
