State-controlled cyber spies are targeting journalists, politicians, diplomats, military personnel, and other high-ranking individuals on Signal, German authorities warn. The sophisticated phishing campaign relies on hackers impersonating official support bots to trick users into handing over account access.
Attackers are using social engineering rather than malware or technical exploits to compromise Signal and WhatsApp accounts, employing two strategies, according to a joint security advisory released by Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI).
In the first attack variant, attackers completely take over user accounts by tricking them into providing the security PIN or the verification code sent via SMS. Hackers abuse these legitimate Signal security features to register a victim’s account on an attacker-controlled device.
“The attackers pose as the official Support Team or Support Chatbot of the messenger service (e.g., "Signal Support" or "Signal Security ChatBot"). They contact their target directly via a chat message. The conversation usually starts with an alleged security warning,” the translation of the advisory reads.
Attackers create a sense of urgency by claiming the loss of private data is imminent without immediate action.
This method does not grant access to messages or content the victim received before the attack, but the threat actor gains access to contacts and new messages in individual and group chats, and can send messages using the identity of the targeted person.
The second attack variant relies on linking the attacker’s device via QR code. Signal and WhatsApp allow linking devices to an existing account by scanning and confirming a QR code on the primary device.
“The attackers contact their target under a credible pretext and get them to scan a QR code. This code actually links a new device to the target's account. However, this device is controlled by the attackers,” the authorities said.
While the victim retains access to the account, attackers can continuously monitor contacts and messages, and also access messages from the last 45 days. This method also allows sending texts.
The victims usually do not immediately notice the stranger in their accounts monitoring communications.
The conversation on this topic is live. Join in the discussion.
“The current focus of the attacks is on the messenger service ‘Signal,’ though comparable approaches are also conceivable for ‘WhatsApp’ due to similar operating principles,” the report reads.
“Successful access to messenger accounts enables not only the viewing of confidential individual communication but also the potential compromise of entire networks via group chats.”
Signal customer service never contacts users directly via Signal messages, and the authorities recommend that users ignore such messages, block, or report accounts impersonating Signal support or similar accounts, and never enter Signal PINs as text messages.
Users are also advised to activate the registration lock, which triggers a 7-day inactivity timer if the user’s number is registered on another device. Only scan QR codes with the Signal app if you want to connect a device to Signal.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked