Signal attacks: Signal advises caution and registration lock

Contents

A large-scale phishing wave is currently underway in Germany targeting politicians, journalists, diplomats, and military personnel. Because Signal's end-to-end encryption keeps its promises, attackers are resorting to persuasion to trick Signal users into revealing their login credentials. This sometimes succeeds, as with the second woman in the state. The attackers then assume the victim's identity and, under this guise, spy on the victim's contacts. Now, the foundation that operates Signal has spoken out.

“First and foremost, it’s important to be precise when it comes to critical infrastructure like Signal,” the Signal Foundation writes on Mastodon. “Signal was not 'hacked' — encryption, infrastructure, and the integrity of the application's code are not compromised.” For the ongoing phishing campaign, attackers are posing as “Signal Support”; they create normal Signal accounts and then change the profile name and picture.

Then, they attempt to trick the target person into revealing their login credentials through manipulative messages. This so-called social engineering has countless variations. It usually exploits human traits like helpfulness, trust, fear, or respect for authority – in this case, trust in the supposed Signal Support. Such attacks on the human factor “burden every widely used messaging app once it reaches the scale of Signal,” the foundation notes.

Measures in progress

In the “coming weeks,” Signal is set to undergo a series of changes “to help hinder these kinds of attacks.” The foundation has not yet revealed what these will be. The fundamental problem, that attackers can persuade some users to open the front door when there is no back door, affects all platforms.

Signal also cannot say exactly what is in the individual manipulative messages, because the messages are end-to-end encrypted. However, there are reports from victims and targets. According to these reports, the perpetrators use the obtained login credentials to take over the target person's Signal account and change the associated phone number. This leads to a de-registration of the original account.

Remedy against re-registration

The perpetrators know this, of course, which is why they try to convince their victims in advance that the de-registration is normal and to be expected. The attackers advise the target person to simply log in again. The victims do so, believing they are logging into their old account – in reality, they have simply created a new Signal account. The perpetrators control the old account and exploit the trust that third parties place in the account to gather information, especially about existing contacts and group chats. The initial victim notices none of this, making it unclear how many people are affected.

“Please remain vigilant against phishing and account takeover attempts,” the statement concludes. “Remember that no one from Signal Support will ever send you a message request or ask for your registration verification code or Signal PIN. For an added layer of protection, you can enable Registration Lock in your Signal Settings (Account -> Registration Lock).” This requires the setup of a Signal PIN (Personal Identification Number).

The optional Registration Lock requires entering

the PIN when a phone number registered with Signal is to be used for registration on another device. The lock only expires if the original device has not been used for Signal for a week.

Am I affected?

The attacks are not only targeting individuals in Germany; for example, members of the Dutch government are also impacted. The attackers are presumably Russian spies. No enrichment or similar financial motives are known.

For espionage defense purposes, the Federal Offices for the Protection of the Constitution (BfV) and for Information Security (BSI) have jointly published a guide to help potential victims quickly determine if they have been successfully attacked. Meanwhile, the Federal Public Prosecutor's Office is investigating; an end to the attacks is not in sight.

(ds)