The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) announced Friday that attackers affiliated with Russian intelligence agencies are conducting a phishing campaign to compromise commercial messaging applications (CMAs) such as WhatsApp and Signal and take control of the accounts of individuals with high intelligence value.
“This campaign targets individuals of high intelligence value, including current and former U.S. government officials, military personnel, politicians, and journalists,” FBI Director Kash Patel said in a post on X. “Globally, this effort has resulted in unauthorized access to thousands of personal accounts. Once attackers gain access, they can view messages and contact lists, send messages as victims, and conduct additional phishing from a trusted identity.”
CISA and the FBI said the operation compromised thousands of CMA personal accounts. It is worth noting that this attack is designed to infiltrate the target’s account and does not exploit any security vulnerabilities or weaknesses to break through the platform’s encryption protection.
Although the agency did not attribute this activity to a specific threat actor, previous reporting from Microsoft and the Google Threat Intelligence Group linked these campaigns to multiple Russian-aligned threat clusters tracked as Star Blizzard, UNC5792 (also known as UAC-0195), and UNC4221 (also known as UAC-0185).
In a similar warning, the Cyber Crisis Coordination Center (C4), part of France’s National Cyber Security Agency (ANSSI), warned of a surge in attack campaigns targeting instant messaging accounts associated with government officials, journalists and business leaders.
“Successful attacks like these could allow a malicious attacker to access conversation history or take control of a victim’s messaging account to send messages impersonating the victim,” C4 said.
The ultimate goal of this campaign is to give the attacker unauthorized access to the victim’s account, allowing the victim to view messages and contact lists, send messages on the victim’s behalf, and even exploit trust relationships to perform secondary phishing on other targets.
As German and Dutch cybersecurity agencies recently warned, this attack involves an adversary approaching a target under the guise of “Signal Support” and prompting them to click on a link (or alternatively scan a QR code) or provide a PIN or verification code. In both cases, the social engineering scheme allows the attacker to gain access to the victim’s CMA account.
However, this campaign has two different outcomes for victims depending on the method used.
If the victim chooses to provide a PIN or verification code to the threat actor, the attacker uses that code to recover the victim’s account, and the victim no longer has access to the account. Although the attacker cannot access past messages, this method can be used to monitor new messages or send messages to others by impersonating the victim. Once the victim clicks the link or scans the QR code, a device under the threat actor’s control will be linked to the victim’s account, giving them access to all messages, including previously sent messages. In this scenario, the victim will still have access to their CMA account unless explicitly removed from the app settings.
To better protect against this threat, we recommend that users never share their SMS code or verification PIN with anyone, be cautious if they receive an unexpected message from an unknown contact, verify links before clicking them, and regularly review linked devices and remove any that appear suspicious.
“Like all phishing attacks, these attacks rely on social engineering, where attackers impersonate trusted contacts or services (such as the non-existent ‘Signal Support Bot’) to trick victims into handing over their login credentials or other information,” Signal said in a post on X earlier this month.
“To prevent this, please remember that the Signal SMS verification code is only required the first time you sign up for the Signal app. We also want to emphasize that Signal support *never* initiates contact via in-app messages, SMS, or social media asking for a verification code or PIN. If someone asks for a Signal-related code, it’s a scam.”
Source link
