In a concerning trend, hackers are now targeting Signal users in a sophisticated phishing campaign aimed at stealing their chat backups. Reports indicate that these attackers masquerade as the app's support team, warning users that their chat data is at risk of being permanently lost due to a supposed sync issue.
According to analyst Josh Rogin, a screenshot of this phishing attempt was shared on social media, revealing messages that instruct users to provide their recovery key to prevent data loss. The message falsely claims that failure to comply could lead to losing access to their account and stored data.
Rogin highlighted that several anti-CCP activists have reported receiving this fraudulent message, suggesting that the campaign may be more extensive than initially believed, potentially targeting various communities beyond just activists.
Mohammed Al-Maskati, director of Access Now's Digital Security Helpline, noted that the attack's first step involves stealing recovery keys, which are critical for accessing chat backups. However, he emphasized that even if the hackers obtain these keys, they still need to take control of the victim's account to succeed fully.
This phishing scheme exploits users' trust by impersonating Signal's support, a tactic that has become increasingly common in cyberattacks. Signal has explicitly stated that it never initiates contact with users or requests sensitive information such as registration codes or recovery keys. Any communication claiming to be from "Signal Support" is likely from malicious actors.
Previous attacks on Signal users typically focused on hijacking accounts to impersonate victims, but this new approach specifically targets backups, which may contain valuable older chats and media files. Unlike earlier methods, which did not grant access to past messages, this strategy allows hackers to potentially retrieve older content if they succeed.
Signal has implemented security features like Registration Lock to safeguard user accounts against unauthorized access. This feature requires a PIN to link a phone number to a new device, adding an extra layer of protection. Users are encouraged to store their recovery keys securely, as these are essential for accessing their backups.
With the introduction of Secure Backups, Signal allows users to upload their account contents to encrypted servers, ensuring that only the user can decrypt and access their data. The organization stresses that without the unique recovery key, no one, including Signal itself, can access the backup.
As phishing attacks evolve, it becomes increasingly vital for users to remain vigilant and informed about such threats. The ongoing development of security measures and user awareness will be crucial in countering these malicious attempts in the digital landscape.
