Applications like Signal and WhatsApp are synonymous with privacy, with their core promise being end-to-end encryption that prevents any third parties, including the companies themselves, from accessing users’ messages. While this security model has earned the trust of millions for personal and sensitive conversations, it does not imply total safety. Recently, the intelligence services of the Netherlands issued a warning about a global campaign aimed at compromising accounts on these platforms—without relying on malware or exploiting technical vulnerabilities.
The Objectives of the Attacks
The military intelligence service (MIVD) and the general intelligence and security service (AIVD) report that the attackers target accounts of dignitaries, public officials, and military personnel. The Dutch government has identified its employees as both targets and victims of these operations. Other profiles of interest for the Russian government include journalists and activists, highlighting the broader implications of this threat beyond governmental figures.
Social Engineering Instead of Spyware
Unlike previous espionage incidents involving messaging services that utilized spyware like Pegasus, this campaign relies primarily on phishing and social engineering techniques. The objective isn’t to infiltrate mobile systems but to manipulate user behavior to gain access to their accounts or to link a foreign device to them.
Account Takeover Techniques
One prominent method employed is direct account takeover. Attackers impersonate the official support teams of the messaging apps, sending messages that warn victims of supposed suspicious activity or data leaks. They often request users to verify their identity by sharing verification codes received via SMS, as well as the account PIN. If successful, this leads to the account being controlled by malicious actors, who can then associate it with their own number.
The QR Code and Linked Devices Trick
A secondary method involves social engineering techniques that convince users to scan a QR code or click on seemingly legitimate links, often disguised as invitations to join a chat group. These codes or links can link the attacker’s device to the victim’s account using the app’s linked device features. Once connected, attackers can access conversations, view ongoing messages, and in some cases, send messages as if they were the user.
Recommendations from Intelligence Services
The report emphasizes several practical recommendations to mitigate these attack risks. One key piece of advice is never to share verification codes or your account PIN via messages, as this could expose your account to unauthorized access. Users are also advised to avoid unexpected links or QR codes from unknown contacts and to verify such requests through a different communication channel if possible. Regularly reviewing linked devices and removing any unrecognized devices is crucial. Additional protective measures include activating the registration block feature in Signal and notifying contacts through alternative methods if account compromise is suspected.
Images | BoliviaIntelligent | Also AY
In Xataka | The potential to hack mobile phones merely by visiting a website remains a concerning reality, raising further alarms about cybersecurity threats.