top of page
Buscar

The Message That Became You: Phishing Inside Trusted Chats

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 23 mar
  • 3 min de lectura

Russian intelligence-linked threat actors are actively targeting Signal and WhatsApp users through large-scale phishing campaigns designed not to break encryption, but to bypass it entirely through social engineering. By impersonating trusted services and exploiting urgency, attackers gain full or partial control of accounts belonging to high-value individuals, enabling message interception, identity impersonation, and secondary attacks. The operation highlights a critical shift: the weakest point is no longer the platform—it is the user’s trust.


Phase 1: Deception & Delivery


The attack begins with carefully crafted phishing messages impersonating legitimate entities such as “Signal Support” or security alerts. These messages are engineered to create urgency, warning of suspicious logins or compromised accounts, pushing victims to act quickly without verification.

Delivery occurs directly within messaging ecosystems or via SMS and other communication channels, leveraging familiarity and trust. Unlike traditional phishing emails, these messages appear in environments users already consider secure, significantly increasing their success rate.

The campaigns are highly targeted, focusing on individuals whose communications hold intelligence value, making each message more personalized and convincing.


Phase 2: Social Engineering Takeover 


Instead of exploiting technical vulnerabilities, attackers rely entirely on human manipulation. Victims are prompted to either share verification codes/PINs or interact with malicious links and QR codes.

If the victim provides the verification code, the attacker uses it to register the account on their own device, effectively taking control and locking the victim out. This method grants access to future communications and enables immediate impersonation.

Alternatively, if the victim clicks a link or scans a QR code, the attacker links their device to the account. This method is more covert, allowing access to both past and ongoing messages while the victim remains unaware and retains apparent control of the account.


Phase 3: Data Access & Identity Abuse 


Once access is established, attackers gain visibility into private conversations and contact lists. This provides not only sensitive information but also a map of trusted relationships.

Using the compromised account, attackers can send messages as the victim, enabling highly effective secondary phishing campaigns. Because these messages originate from a trusted identity, they are far more likely to succeed, allowing the attack to propagate laterally across networks.

The result is a multi-layered compromise: interception of communications, exposure of contacts, and weaponization of trust for further intrusion.


Phase 4: Persistence & Expansion 


Attackers maintain access by keeping linked devices active or controlling account recovery mechanisms. In linked-device scenarios, persistence is particularly strong, as access can remain unnoticed indefinitely unless manually reviewed.

The operation scales through chained phishing, where each compromised account becomes a new launch point. This creates a cascading effect across professional and personal networks, amplifying the campaign’s reach without additional infrastructure.

The absence of malware or exploits makes detection significantly harder, as the activity blends into normal user behavior.


Measures to Fend Off


  • Never share verification codes or PINs under any circumstances

  • Treat urgent security alerts with skepticism, especially those requesting immediate action

  • Avoid clicking on unsolicited links or scanning unexpected QR codes

  • Regularly review and remove unknown linked devices from messaging apps

  • Verify suspicious requests through official channels, not within the same message thread

  • Educate users on social engineering tactics targeting messaging platforms

  • Apply zero-trust principles to communication channels, even those perceived as secure


This campaign demonstrates a fundamental evolution in threat strategy: attackers no longer need to break encryption when they can bypass it entirely through human trust. By embedding themselves within legitimate communication channels, they transform everyday messages into attack vectors.


The implications are profound. Messaging platforms remain technically secure, yet the conversations within them become exposed through manipulation. As users increasingly rely on these apps for sensitive communication, the value of a single compromised account grows exponentially.


This is not just phishing, it is identity hijacking at scale. And in this landscape, the most dangerous message is the one that looks exactly like it should.



The Hacker News


 
 
 

Comentarios

bottom of page