- Google researchers are warning of an ongoing phishing campaign
- It distributes QR codes which grant the attackers access to people's Signal accounts
- The targets are mostly military personnel, experts warn
Russian state-sponsored threat actors have been increasingly targeting Signal Messenger users, with QR code-powered phishing attacks, malware, and more, experts have warned
A report from Google’s Threat Intelligence Group (GTIG) notes Signal’s use among military personnel, politicians, journalists, activists, and other high-risk groups has lately become widespread, triggering Russian state-sponsored threat actors’ increasing interest, particularly since the beginning of the Russo-Ukrainian war.
As a result, different threat actors (most notably APT44 and UNC5792) have been trying to abuse the “linked devices” feature in the attack. Linked devices allows users to connect multiple devices, such as laptops, tablets, and mobile devices, to the same account. To simplify the login process, users can scan a QR code from a device that’s already logged in, instead of typing in a password, or registering a new service.
QR codes
That being said, cybercriminals have started sending out phishing emails with invites to fake groups, different security alerts, and similar, which also carry a QR code. If the victim scans it, the attacker’s device gets logged into their account, getting access to contacts, messages, and more.
Since the phishing email doesn’t carry a malicious link, or attachment, that can be scanned by email security solutions, these emails often make it past filters and into people’s inboxes.
Beyond phishing, Russian and Belarusian threat groups are also using malware and specialized tools to exfiltrate Signal messages directly from compromised Android and Windows devices.
These efforts include scripts like WAVESIGN, which periodically extracts messages from Signal’s database, and Infamous Chisel, a known Android malware variant. Other actors, such as Turla and UNC1151, have leveraged PowerShell and command-line utilities to steal stored Signal messages from compromised computers, as well.
You might also like
- United Healthcare data breach may have affected 190 million Americans
- We've rounded up the best password managers
- Take a look at our guide to the best authenticator app
