Why in news?
India’s cyber security agency CERT‑In issued an advisory about a new scam called GhostPairing. Fraudsters exploit WhatsApp’s device‑linking feature to pair victims’ accounts with their own devices without consent. The alert prompted the public to scrutinise links shared over messaging apps and raised concerns about rising digital fraud.
Background
WhatsApp allows users to link their accounts to multiple devices by scanning a QR code or entering a verification code. This feature is designed to help users access chats on computers or tablets. However, scammers are leveraging social engineering to secretly pair devices and gain full access to victims’ conversations, contacts and OTPs.
Modus operandi
- Fraudsters send a seemingly harmless message such as “Check this photo” or “See this video” with a link. The link opens a fake website pretending to be a Facebook picture viewer.
- The site asks the target to enter their phone number and the one‑time password (OTP) received via WhatsApp. When the victim enters these details, the attacker’s device gets authorised as a linked device.
- Once linked, the attacker can read and send messages from the victim’s account, request money from contacts, intercept OTPs and even enable multi‑device mode to remain undetected.
- Attackers may also combine this with SIM‑swap fraud to bypass two‑factor authentication on banking and UPI apps.
Prevention and response
- Never click on suspicious links or enter your phone number/OTP on external websites, even if the message appears to come from a friend or family member.
- Check the “Linked Devices” section in WhatsApp settings regularly. If you see unknown devices, immediately log them out.
- Enable two‑step verification in WhatsApp. This sets up a six‑digit PIN that must be entered when registering your phone number on a new device.
- Be cautious of calls or messages that ask you to perform urgent actions. When in doubt, verify with the sender via a separate call or message.
- The Department of Telecommunications has proposed continuous SIM binding for digital wallets and UPI apps. While privacy concerns remain, the proposal aims to prevent SIM‑swap fraud by deactivating linked apps when a SIM is changed.
- Organisations should conduct regular security awareness sessions, implement strict device management policies and establish rapid incident‑response mechanisms.
Source: The Indian Express – “GhostPairing scam uses WhatsApp’s device‑linking feature, CERT‑In warns”; Department of Telecommunications directives on SIM binding.
