Signal issues scam warning to users after hackers target officials
Source: BBC Technology
Overview
Signal has warned users to look out for signs of scams after Dutch intelligence said high‑profile users of the secure messaging app were being targeted by hackers.
Dutch cybersecurity agencies said on Monday a Russia‑backed campaign had targeted individual users of Signal, as well as WhatsApp. Hackers posed as support staff to try to obtain details that would give them access to accounts or hijack linked devices – with Dutch officials, military staff and civil servants among those targeted in the “global” campaign.
Signal says its systems remain secure but it is taking reports of such activity “very seriously”.
The campaign was identified by Dutch intelligence agencies, the Military Intelligence and Security Service (MIVD) and General Intelligence and Security Service (AIVD). In a press notice the agencies said the “large‑scale global cyber campaign” appeared to target people of interest to the Russian state, such as government officials and journalists.
“It is not the case that Signal or WhatsApp as a whole have been compromised. Individual user accounts are being targeted,” said Simone Smit, AIVD director‑general.
“These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.”
The phishing attacks attempt to convince users to part with passcodes, money or identity details, often by impersonating customer support agents, friends, family or celebrities. In the campaign identified by Dutch intelligence agencies, hackers pretended to be Signal Support to try and get people to share account details.
User advice
-
When creating a Signal account, users are asked to secure it with a PIN code – something that should never be shared with anyone.
-
Users should also not share verification codes messaged to their phone number.
-
WhatsApp gives similar advice, warning users not to share the six‑digit codes used to secure their account.
“Human bugs”
Signal has stressed that while they have protections in place, “user vigilance” is the best way to combat phishing attempts.
“Security features are being weaponised against the users,” said Muhammad Yahya Patel, cybersecurity advisor at Huntress.
“In the past, hackers looked for bugs in code. Now, they are looking for human bugs in how humans interact with apps.”
Patel noted that convenient features such as letting users access their account on other devices via QR codes, or regain access with text verification codes, have become “primary attack vectors being used by criminals”. He urged people to regularly check devices linked to their account in settings to ensure no one else can access their messages.
He also warned that using an app with end‑to‑end encryption (E2EE) does not mean “total security”. E2EE protects the content of messages, but “this type of encryption can’t protect the account and device if it becomes compromised.”
Dutch intelligence services believe Russia targeted Signal because its reputation as a highly secure app has made it popular with officials seeking to communicate securely. However, this popularity also makes the app “the ideal place for malicious actors” to try and capture sensitive information.
“Despite their end‑to‑end encryption option, messaging apps such as Signal and WhatsApp should not be used as channels for classified, confidential or sensitive information,” said MIVD director Peter Reesink.