Signal: Takes threat of targeted phishing attacks very seriously
Signal has commented on the Russian phishing attacks, for example on government officials. The incidents are taken very seriously.
(Image: Primakov/Shutterstock.com)
Following the warning from the Dutch intelligence services MIVD and AIVD about a large-scale global espionage campaign by Russian state actors on Monday of this week, which targets the messengers Signal and WhatsApp, Signal has now commented on the matter. On social networks, the service explains its view of the situation and provides tips on how users can protect themselves.
On Mastodon, for example, the Signal developers write that they are aware of reports about targeted phishing attacks against Signal users such as government officials and journalists, through which the victims' accounts were taken over. They take this very seriously, they emphasize. “To be clear: Signal's encryption and infrastructure have not been compromised and remain robust,” they add. The attacks were carried out through sophisticated phishing campaigns designed to trick users into sharing information such as SMS codes or Signal PINs. This gives spies access to their accounts. They can secretly link their devices and thus read all messages in real-time without the victims noticing this remote access immediately.
Attacks based on social engineering
Like all phishing attacks, these attacks are based on social engineering, Signal explains. “Attackers impersonate trusted contacts or services, such as the non-existent 'Signal Support Bot,' to trick victims into handing over their login credentials or other information,” the developers explain. To prevent this, users should remember that the Signal SMS verification code is only needed when logging into the Signal app for the first time.
Signal support will also never contact users within the Signal app, via SMS, phone call, or social networks to ask for the verification code or PIN. Anyone asking for such data is a fraudster, Signal assures. Although Signal has implemented robust technical security measures, user attention remains the best defense against phishing. The developers intend to work on reducing these risks through the design of the user interface and prompts. Until then, Signal users should remain vigilant and never share their SMS verification code or Signal PIN with others.
Videos by heise
The developers have also collected helpful tips for recognizing phishing and similar scams on the Signal FAQ on phishing.
(dmk)
