India's national cybersecurity agency has issued a critical warning to millions of WhatsApp users across the country. The Indian Computer Emergency Response Team (CERT-In) has flagged a sophisticated new method that scammers are using to hijack WhatsApp accounts. This attack cleverly exploits the platform's own 'link a device' feature, which is designed for convenience but is being weaponized by cybercriminals.
How the WhatsApp Hijacking Scam Works
The attack begins with a seemingly innocent voice or video call from an unknown international number. The caller, posing as a friend, family member, or even a technical support executive, engages the target in conversation. Their real goal is to distract the user and build a false sense of trust.
While the call is ongoing, the scammer sends a WhatsApp message containing a six-digit registration code. They then urgently request the victim to share this code, often using a fabricated story. For instance, they might claim they've accidentally sent the code to the wrong number and need it back to regain access to their own account.
The Critical Exploit: The "Link a Device" QR Code
If the victim shares the six-digit code, the scammer immediately uses it to log into the victim's WhatsApp account on a new device. This triggers the next phase of the attack. The scammer then requests the eight-digit "link a device" QR code, which appears in the victim's WhatsApp settings under 'Linked Devices'.
By obtaining this QR code, the attacker can permanently link their own device to the victim's account. This gives them full, persistent access. The legitimate user is then forcibly logged out, losing control of their WhatsApp entirely. The hijacked account can then be used to scam the victim's contacts, spread malware, or extract sensitive information.
CERT-In's Urgent Advisory and Protective Measures
CERT-In, which operates under the Ministry of Electronics and Information Technology, has outlined clear steps for users to protect themselves. The agency emphasizes that WhatsApp registration codes and QR codes are highly sensitive and should never be shared with anyone, under any circumstances.
To secure your account, users are advised to immediately enable two-step verification. This adds an extra layer of security by requiring a custom PIN when registering your phone number with WhatsApp again. The agency also recommends regularly checking the list of linked devices in the WhatsApp settings and removing any that are unfamiliar or no longer in use.
Other key recommendations from the advisory include:
- Being extremely cautious of unsolicited calls, especially from international numbers.
- Never sharing personal information, OTPs, or codes during a call.
- Reporting and blocking suspicious numbers immediately.
- Educating friends and family, particularly those less tech-savvy, about this new threat.
This alert highlights the evolving tactics of cybercriminals who are constantly finding new ways to exploit popular digital platforms. As messaging apps like WhatsApp become central to daily communication and even financial transactions in India, such security threats pose a significant risk to personal privacy and digital safety. Users must remain vigilant and treat their account credentials with the same secrecy as their bank PINs.
