New Delhi: Computer Emergency Response Team (CERT-In), cyber security agency of the Government of India, has flagged a sophisticated cyber threat targeting WhatsApp users, naming it the "GhostPairing" campaign.

Rated as high severity, this attack abuses the platform's device-linking capability to enable unauthorized full access to accounts, said the advisory issued by the Cert-In on Friday night.

"It has been reported that malicious actors are exploiting WhatsApp's device-linking feature to hijack accounts using pairing codes without authentication requirement, " the advisory said.

"This newly identified cyber campaign called GhostPairing enable cyber criminals to take complete control of WhatsApp accounts without needing password or SIM swaps," the advisory said.

Unlike traditional hacks requiring stolen credentials, GhostPairing relies on deception. The

attack campaign usually begins with the victim receiving a message like "Hi, check this photo" from a "trusted" contact.

The message contains a link with a Facebook-style preview. The link leads to a "fake" Facebook viewer that prompts users to "verify" to see the content. Here, the attackers exploit WhatsApp's "link device via phone number" feature by tricking unsuspecting users into entering their phone numbers, the advisory said.

This way, the victims "unknowingly" grant the attackers full access to their WhatsApp accounts.

The 'GhostPairing' attack tricks users into granting an attacker's browser access, as an additional trusted and hidden device, by using a pairing code that looks authentic.

The advisory said that once the attacker links their device, they get almost the same access as the victim would get on WhatsApp web.

Attackers can monitor ongoing conversations, view shared media, and impersonate the user to propagate the scam further.

They can read messages that sync to their device, receive new messages in real-time, view photos, videos and voice notes, and they can send messages to the victim's contacts and group chats, the advisory said.

CERT-In advises extreme caution with unsolicited links and external verification requests.

"Do not click suspicious links even if they come from known contacts. Never enter your phone number on external sites claiming to be WhatsApp/Facebook, " the advisory said.