Phishing attack: Numerous journalists targeted in attack via Signal Messenger

Journalists have increasingly been targeted by a well-known phishing attack on the Signal messenger service in recent days and weeks, according to reporting by netzpolitik.org. Dozens of (investigative) journalists, some of them prominent, at public television stations and several large and small media outlets, including Die Zeit, Correctiv, and netzpolitik.org, have been affected. Furthermore, individual high-profile representatives of civil society, including lawyers, were hit by the attack.

Netzpolitik.org has not yet been able to find any victims of the attack outside of these categories. This suggests a targeted phishing attack on specific phone numbers, but is not proof of such an attack.

“We have seen early indications that journalists, politicians, and civil society members in Germany and across Europe have been targeted.” Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, confirmed to netzpolitik.org.

“This Signal phishing campaign appears to be highly active,” Ó Cearbhaill said. According to the security expert, it is unclear how often the attacks were successful, but the spread of the campaign appears to be fueled by stolen address book entries collected from previous victims.

How does the attack work?

In the campaign, attackers send a Signal message, pretending to be “Signal Support” and claiming that there has been suspicious activity on the mobile phone and an attempt to access private data. For this reason, those affected must go through the Signal verification process again and send the verification code to a “Signal Security Support ChatBot”, the fraudulent messages claim. The earliest victims of the attack identified by netzpolitik.org were contacted in November. The first publicly known reports of the attempted attacks were published in October by Citizen Lab researcher John Scott-Railton.

The request from the fake support account reads as follows:

Dear User, this is Signal Security Support ChatBot. We have noticed suspicious activity on your device, which could have led to data leak. We have also detected attempts to gain access to your private data in Signal. To prevent this, you have to pass verification procedure, entering the verification code to Signal Security Support Chatbot. DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES.

If this chat request is accepted, victims receive a text message containing a verification code on their cell phone, as one victim confirmed to netzpolitik.org. This is apparently a genuine verification code from Signal. It indicates that immediately after accepting the chat request, the attackers attempt to re-register an account with the cell phone number.

If this verification code is passed on to the fraudulent “Signal Support”, the attackers may register a new account. Additionally, Signal accounts are protected with a Signal PIN, which is a second security layer in addition to the verification code delivered by SMS. If the attackers do not know this PIN, they cannot see contacts, groups, or content.

However, if the Signal PIN is passed on to the attackers, they can gain access to the user’s profile and contacts. Although they cannot see past chats, they can lock out the legitimate user by changing the Signal PIN and then activating the registration lock. This would allow attackers to take over the account permanently – other users in chats or groups would only notice that the security number has changed.

Possible target: Spying on political networks and sources

Afterwards, chat groups can be accessed, and the contacts and networks of those affected can be identified. In the case of journalists, for example, this could reveal sources who communicate with journalists in a confidential and encrypted manner. In the case of activists, political networks and contacts could be exposed. In the course of a permanent account takeover, the attacker can also read all communication content accumulated since the takeover.

None of the victims known to netzpolitik.org went further than accepting the chat and receiving the verification SMS.

However, an attacker with internal access to the operator’s mobile network infrastructure could intercept the verification codes sent by SMS and would not need to request them. To gain full access to the account, they would also have to request the Signal PIN. Netzpolitik.org was not able to identify who is behind the attack, based on the information available.

How can you protect yourself?

“These attacks do not exploit a vulnerability in the Signal application itself. Signal remains one of the most secure and widely used encrypted messaging apps,” said Donncha Ó Cearbhaill, the Amnesty International security expert.

A Signal spokesperson told netzpolitik.org: “Signal will never contact you in any way via a two-way chat within the app.” In addition, users should activate the registration lock. This can be done under “Settings” -> ‘Account’ and then activating the slider for “Registration lock.” Signal also stresses: “Never share your Signal PIN or registration lock with anyone else.”

Users who receive a message from a previously unknown account with the content described above or similar content, should report the incoming message and then click “report and block.” Under no circumstances should users follow the instructions: Signal would never contact users in this manner.

If a message appears in chats stating that a contact’s security number has changed, this often just means that they bought a new cell phone. Nevertheless, in such situations, users should always ask the contact in question why their security number has changed using a channel other than the Signal text chat.

A phone call or, even better, a video call is usually suitable to verify a changed security number. It is also advisable to display all devices connected to Signal and delete those that are no longer needed.

If you have been the target of this attack, have lost access to your Signal account in this way, or have further information and clues about this attack, please contact us confidentially for further investigation and research.