Russian state hackers are engaged in a large-scale global cyber campaign to gain access to Signal and WhatsApp accounts belonging to dignitaries, military personnel and civil servants. The Dutch intelligence and security services MIVD and AIVD can confirm that targets and victims of the campaign include Dutch government employees. The Dutch services also believe that other persons of interest to the Russian government, such as journalists, may possibly be targeted by this campaign.
1 Like
I just had a quick look, it appears to be mostly a targeted attack based on social engineering.
A good reason to only use usernames.
1 Like
This might seem stupid but they might just want to prevent users from naming themselves Signal Support, or any variant of that.
1 Like
This is nearly impossible.
A Phisher will always find some combination of letters that is “allowed” and still tricks people into believing they are Signal.
1 Like
I will at my two cents here:
Attack method one:
At this point I don’t think Signal can do much more against such attacks. These are so standard and easy recognizable.
There are two “Signal Service” Channels one called “Note to self” the other “Signal” and both have a fat blue tick next to each other. That only official Signal channels are able to have.
Besides the fact that it is easily spotted which channel/contact belongs to the actual Signal service and which one if fake, no service in the history of tech ever tried to us for credentials in its own chat.
If people still fall for this exact attack it is a lack of critical thinking and education.
Attack method two:
And here we are with bad design choices. The all known QR-codes.
The problem with this QR-codes is that they are not only used for login in or login in into a different device.
For example, I can send you my Signal username/Signal user link via an QR-code instead of the username or link. This is an official-supported feature of signal.
Now if someone wants to add me they need/can scan this QR-code with signal itself.
If I now send instead of the QR-code from my username the QR-code of a new device login, a potential victim will fall for this pretty easily.
It’s a cat and mouse game but they could at least try.
They already did something.
I should have mentioned that in this post. All official signal channels in signal itself are marked with a big fat blue tick that normal users can not do.
There are two official Signal chat from Signal. “Note to self” and “Signal”. Both have this exact mark.
Instead of blacklisting just all possible solution how someone could think of a signal employer they just marked signals official chat with something that a normal user can not do.
1 Like