The newest information making it across the cybersecurity world is that a wave of attacks have hit, part of what seems to be a coordinated phishing campaign targeting Signal.
Signal is a messaging application which has gained some measure of notoriety in recent years as one of the go-to choices for secure, encrypted communication that is difficult for external agencies to monitor. But as such, it’s also one of the more desired messaging services for various actors to compromise due to the potential value of communications stored there.
The current spate of phishing attacks takes advantage of the new backup features, a way for people to get Signal messages back even if their phone is lost or damaged where they would previously be lost. Signal has stated in their communications they intended for the backups to be secure, but as with all things security can fail when human error is involved.
What does the attack look like?
The phishing text arrives from an account named “Signal Support,” a name any user can freely choose, since Signal does not verify profile names, and opens with an urgent warning: the victim’s account data faces “permanent loss due to a sync issue.” It then provides step-by-step instructions directing the target to navigate to the 64-character recovery key and paste it directly into the chat. The message closes with a threat: failure to comply “may result in losing access to your account and all stored data.”
As you may note, this ticks every warning box. They use a perceived time pressure to induce immediate unconsidered action from the recipient. The sense of urgency should also mask inconsistencies with the message source.
The security of Signal’s backup relies on a “zero-knowledge” architecture: the 64-character recovery key is generated and stored exclusively on the user’s device and is never transmitted to Signal’s servers. But this also means that if anyone is given the code, they get complete access to the complete account history.
As with many security failures, we have to be aware of the human factor. Ideally, systems should be designed around this and avoid a single point of failure. For now, users of Signal have to exercise increased vigilance.
Your Data in Your hands – With TECH-ARROW
by Matúš Koronthály
Image generated by Canva
