(Photo by Matthias Balk/picture alliance via Getty Images)
Russian state-sponsored hackers have allegedly been trying to hijack WhatsApp and Signal accounts on a global scale by tricking users into handing over their login authentication codes.
The warning comes from the Netherlands’ General Intelligence and Security Service, also known as AIVD, which issued an advisory about the “large-scale global cyber campaign” on Monday.
The intelligence agency says Russians hackers are targeting accounts “belonging to dignitaries, military personnel and civil servants"; victims include Dutch government employees.
WhatsApp and Signal are best known for using end-to-end encryption, which can prevent even the messaging services themselves from decrypting user chats. However, both apps are still susceptible to account takeovers, which can allow someone to access an account on a second phone, paving the way for a hacker to steal access and spy on messages.
"An interesting aspect of this Russian campaign is that it does not exploit any technical vulnerabilities of the messaging services," AIVD notes. "The attackers instead make malicious use of legitimate security features of the apps.”
This includes tricking users into handing over a one-time authentication code. The AIVD warned that “the most frequently observed method used by the Russian hackers is to masquerade as a Signal Support chatbot in order to induce their targets to divulge their codes. The hackers can then use these codes to take over the user’s account.”
In a tweet thread, Signal also confirmed the threat and included a screenshot of one of the phishing messages the Russian hackers allegedly sent. The message pretended to come from a non-existent “Signal Support Bot,” and claimed suspicious activity had been detected on the user’s account.
“We have also detected attempts to gain access to your private data in Signal,” the phishing message says. “To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot.”
However, Signal cautions users to never share the verification code, saying it’s “only ever needed when you are first signing up for the Signal app.” If the code is shared with the user-registered PIN number, a hacker can set up and access the user's Signal account on a second phone.
Signal added: “We also want to emphasize that Signal Support will never initiate contact via in-app messages, SMS, or social media to ask for your verification code or PIN. If anyone asks for any Signal-related code, it is a scam. We make this clear when users receive their SMS code during initial signup.”
The AIVD also warns that Russian hackers are gaining access to user accounts by abusing the “linked devices” feature in both Signal and WhatsApp, which lets you view your chats on a desktop PC. Russian hackers have previously been accused of exploiting the feature through phishing messages as well.