By rssfeeds-admin 
When clicked, victims are redirected to a counterfeit Facebook login page, where unwitting submission of credentials enables attackers to exploit WhatsApp’s device-linking feature and seize complete control of personal chats, media, and contacts.
This article examines the technical mechanics of the scam and guides defensive measures.
How the Phishing Campaign Operates
The attack leverages WhatsApp’s inherent trust in messages from known contacts. After receiving the prompt and URL (e.g., photobox.life/login/post.com.cz5), victims navigate to the spoofed Facebook authentication portal.
Although the page’s design mimics Facebook’s real login interface, complete with a country selector and telephone-number input fields, the domain is maliciously registered, and SSL certificates are either self-signed or obtained from free issuers, offering minimal assurance of legitimacy.
Once credentials are entered, they are captured by the attacker’s server. In the background, the scam script triggers an account-linking routine:
- Device Linking Exploit: WhatsApp’s multi-device beta protocol enables new devices to pair by scanning a QR code within an active session. The phishing page prompts victims to scan a QR code, ostensibly for “photo access,” but in reality transmits a device-link request to the attacker.
- Session Hijack: The attacker’s device, now linked, receives a copy of the encrypted messages and media. Because WhatsApp employs end-to-end encryption, the initial device pairing process authenticates both endpoints’ long-term keys, granting the attacker full decryption rights without alerting the user’s network.
- Propagation: With hijacked access, attackers disseminate the same phishing bait to everyone in the victim’s address book, vastly amplifying reach.
Technical Details Behind Device Linking
WhatsApp multi-device beta uses the Signal Protocol’s double ratchet and secure pairing via Elliptic Curve Diffie-Hellman (ECDH). During legitimate pairing, a unique QR code encodes the new device’s public key and a session identifier, encrypted under the primary device’s long-term identity key.
The phishing page replicates this process by embedding a QR code that, when scanned, directs the victim’s client to register the attacker’s session key on WhatsApp’s servers.
This covert key exchange remains invisible to the user, as WhatsApp does not notify the primary account holder of additional logged-in devices, except for an icon in Settings → Linked Devices.
Because WhatsApp does not currently differentiate between trusted and untrusted device links at the protocol level, the scam takes advantage of this gap. Attackers can browse chat history, send messages, extract media, and exfiltrate contact lists without triggering any obvious security warning.
Mitigation and Best Practices
- Verify Unexpected Links: Always confirm with the sender via an alternate channel before clicking.
- Inspect Domains: Genuine Facebook logins appear on facebook.com; any deviation from this pattern signals potential fraud.
- Monitor Linked Devices: Regularly review Settings → Linked Devices and immediately revoke any unfamiliar entries.
- Use Two-Step Verification: Enable WhatsApp’s PIN-based two-step verification under Settings → Account → Two-step verification for an additional authentication layer.
- Stay Updated: Keep WhatsApp up to date to benefit from forthcoming security enhancements, including improved device-link notifications and anomaly detection.
By exercising caution with unsolicited links, scrutinizing domain authenticity, and proactively managing linked devices, users can thwart this emergent WhatsApp hijacking scam and safeguard their private communications.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post WhatsApp Security Threat – New Scam Lets Hackers Hijack Your Private Chats appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.