Hackers are targeting Signal with new QR code-linked cyberattack

News
By
published

Russian hackers target military personnel with advanced phishing attacks

QR Code
(Image credit: Pixabay)
  • Google researchers are warning of an ongoing phishing campaign
  • It distributes QR codes which grant the attackers access to people's Signal accounts
  • The targets are mostly military personnel, experts warn

Russian state-sponsored threat actors have been increasingly targeting Signal Messenger users, with QR code-powered phishing attacks, malware, and more, experts have warned

A report from Google’s Threat Intelligence Group (GTIG) notes Signal’s use among military personnel, politicians, journalists, activists, and other high-risk groups has lately become widespread, triggering Russian state-sponsored threat actors’ increasing interest, particularly since the beginning of the Russo-Ukrainian war.

As a result, different threat actors (most notably APT44 and UNC5792) have been trying to abuse the “linked devices” feature in the attack. Linked devices allows users to connect multiple devices, such as laptops, tablets, and mobile devices, to the same account. To simplify the login process, users can scan a QR code from a device that’s already logged in, instead of typing in a password, or registering a new service.

QR codes

That being said, cybercriminals have started sending out phishing emails with invites to fake groups, different security alerts, and similar, which also carry a QR code. If the victim scans it, the attacker’s device gets logged into their account, getting access to contacts, messages, and more.

Since the phishing email doesn’t carry a malicious link, or attachment, that can be scanned by email security solutions, these emails often make it past filters and into people’s inboxes.

Beyond phishing, Russian and Belarusian threat groups are also using malware and specialized tools to exfiltrate Signal messages directly from compromised Android and Windows devices.

These efforts include scripts like WAVESIGN, which periodically extracts messages from Signal’s database, and Infamous Chisel, a known Android malware variant. Other actors, such as Turla and UNC1151, have leveraged PowerShell and command-line utilities to steal stored Signal messages from compromised computers, as well.

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

More about security
Laptop computer displaying logo of WordPress, a free and open-source content management system (CMS)

Another serious WordPress plugin vulnerability could put 40,000 sites at risk of attack
data recovery

Ghost ransomware has hit firms in over 70 countries, FBI and CISA warn
OnePlus Watch 3

OnePlus seeks FDA approval for Sleep Apnea Detection on its watch and takes on Apple in the process
See more latest