When we think about applications like Signal or WhatsApp we usually immediately associate them with the idea of privacy. Both are built on a very clear promise: end-to-end encryption prevents third parties, including the companies themselves, from reading users’ messages. This security model has made millions of people trust these platforms for personal, professional and even sensitive conversations. However, that protection does not mean that accounts are completely safe. The Dutch intelligence services have now warned of a global campaign that seeks to compromise accounts of these applications without using malware or exploiting technical flaws.
The objectives. The military intelligence service (MIVD) and the general intelligence and security service (AIVD) indicate that the attacks seek to access accounts belonging to dignitaries, public officials and military personnel. Authorities also acknowledge that Dutch Government employees have been both targets and victims of these attempts. In addition, the report indicates that other profiles that may be of interest to the Russian Government, such as journalists, could also be among the recipients of this type of attack.
Social engineering instead of spyware. Unlike other episodes of digital espionage that have affected messaging services in the past, the campaign described by the Dutch services does not rely on malware or the exploitation of technical flaws. The report explains that attackers mainly use phishing and social engineering techniques to gain access to accounts. This difference is relevant when compared to tools like Pegasus, the famous spy software capable of infiltrating mobile phones. In this case, the goal is not to compromise the phone system, but rather to take advantage of the user’s behavior to take control of their account or link a foreign device.
“Account take-over”. One of the methods is direct takeover of the account. The attackers, they explain in the report, pose as the official support team of the application and send messages to the victim alerting them of alleged suspicious activities, possible data leaks or attempts to access their account. From there they request that the user complete a verification process and share the code they receive by SMS, as well as the PIN configured in the application. If the victim provides this data, the malicious actor can take control of the account and reassociate it with a number under their control.
The trick of QR and linked devices. The report also describes a second access route that does not necessarily imply that the victim loses immediate control of their account. In this case, attackers use social engineering techniques to convince the user to scan a QR code or click on a seemingly legitimate link, for example under the guise of joining a chat group. That QR or link may be designed to link the attacker’s device to the victim’s account using the apps’ linked device features. Once connected, the attacker can access the conversations and, depending on the platform and access mode, see messages in progress or even part of the history, in addition to being able to send messages on behalf of the user.
What the intelligence services recommend. The report also includes several practical recommendations to reduce the risk of these types of attacks. Authorities warn that you should never share verification codes or your account PIN through messages, even if the request appears to come from the app’s support service. They also recommend distrusting links or QR codes sent by unknown contacts and always verify these requests through another channel before interacting with them. Another important measure is to periodically review the list of devices linked to the account and remove any devices that are not recognized. The document also adds other useful measures, such as activating the registration block in Signal and notifying contacts by another means if there is a suspicion that the account has been compromised.
Images | BoliviaIntelligent | Also AY
In WorldOfSoftware | That they can hack a mobile phone just by entering a website is scary. If that mobile phone is also an iPhone, it’s terrifying
