A large-scale phishing wave is currently underway in Germany against politicians, journalists, diplomats and military personnel. Because Signal’s end-to-end encryption delivers what it promises, the attackers rely on the art of persuasion to get Signal users to hand over their access data. Sometimes this works, as with the second woman in the state. The attackers then appropriate the foreign identity and use this guise to spy on the victim’s contacts. Now the foundation that runs Signal is speaking out.
Read more after the ad
“First and foremost, it is important to be precise when it comes to critical infrastructure like Signal,” writes the Signal Foundation on Mastodon. “Signal has not been ‘hacked’ – the application’s encryption, infrastructure, and integrity of the application’s program code have not been compromised.” For the ongoing phishing campaign, the attackers would pose as “Signal Support”; To do this, they created normal Signal accounts and then changed their profile name and picture.
They then tried to use manipulative messages to get the target person to hand over their access data. This so-called social engineering has countless variations. Human characteristics such as helpfulness, trust, fear or respect for authority are usually exploited – in this case trust in the supposed signal support. Such attacks on the human factor “burden every widely used messaging app as soon as it reaches Signal’s size,” the foundation knows.
Measures in progress
“In the coming weeks,” Signal is expected to see a number of changes “that will help thwart these types of attacks.” The foundation is not yet revealing what that will be. The basic problem that attackers force some users to unlock the front door when there is no back door affects all platforms.
Read more after the ad
Signal cannot say what exactly is in the individual manipulative messages, because the messages are end-to-end encrypted. But there are reports from victims and targets. Accordingly, the perpetrators use the lured access data to take over the target person’s Signal account and change the linked phone number. This will result in de-registration of the original account.
Remedy against re-registration
Of course, the perpetrators know this, which is why they make their victims believe in advance that de-registration is normal and to be expected. The perpetrators advise that the target person should then simply register again. The victims do this too, believing they are logging into their old account – in fact, they have simply created a new Signal account. The perpetrators control the old account and exploit the trust placed in the account by third parties to collect information, especially about existing contacts and group chats. The first victim notices nothing of this, which is why it is unclear how many people are affected.
“Please remain vigilant against phishing and account takeover attempts,” the statement concludes. “Keep in mind that Signal support will never ask for your registration code or Signal PIN. For additional security, you can enable registration lock in your Signal settings (under “Account”).” The prerequisite is to set up a signal PIN (personal identification number).
Optional registration lock requires input
the PIN if a phone number registered with Signal is to be used to register on another device. The lock only expires when the original device has not used Signal for a week.
Am I affected?
The attacks are not only carried out against people in the Federal Republic; for example, members of the government of the Netherlands are also affected. The attackers are believed to be Russian spies. Enrichment or similar financial motives are not known.
For the purpose of counter-espionage, the Federal Offices for the Protection of the Constitution (BfV) and Information Security (BSI) have jointly published a guide that is intended to help potential victims quickly find out whether they have been successfully attacked. Meanwhile, the Federal Public Prosecutor’s Office is investigating; There is no end to the attacks in sight.
(ds)
