When a code or click betrays trust: the phishing campaign that takes account control in WhatsApp and Signal

In recent weeks, security agencies in several countries have turned on alarms by a phishing campaign aimed at commercial messaging applications such as WhatsApp and Signal. American agencies CISA and FBI have warned that Russian intelligence actors are trying to kidnap accounts of people with "high intelligence value": public officials, military, journalists and political figures.

The important thing about this campaign is that it is not a technical violation of the encryption protocols of these platforms, but an exploitation of human confidence: attackers use social engineering techniques to convince victims to deliver verification codes, scan QR codes or click malicious links. The result: account-taking, message view, and supplanting to launch new deceit from a reliable identity. Agencies say that thousands of accounts have already been committed around the world.

There are two main ways the attackers get access to, and the difference between them is important. If the victim provides the requested verification code or PIN, the attacker recovers the account and the owner loses access; the attacker will not be able to see the old messages, but he will be able to read and send new messages posing as the victim. If the victim, on the other hand, clicks on a link or scans a QR code prepared by the attacker, then an adversary-controlled device is matched with the account, which can allow full access to past and present conversations, while the affected user is still able to enter the account until it is expelled from the app settings.

Different intelligence teams from technology companies and response centres have linked similar campaigns to groups aligned with Russia identified in cybersecurity literature with labels such as Star Blizzard, UNS5792 and UNS4221. Large supplier intelligence reports point to similar patterns and tactics, and European alerts, such as that of the French cyber crisis centre C4 / ANSSI they confirm an increase in operations directed against the messaging accounts of officials, journalists and business leaders.

The authorities have also explained why these incidents are particularly dangerous. When an attacker controls a messaging account, it not only gets access to conversations, it can also manipulate the perception of close contacts: send dangerous links or requests pretending to be the victim, and thus extend the engagement network to people who trust the sender. In practical terms, a single compromised account can become the tool to attack a dozen more.

Security recommendations are not new, but they are now more urgent. Never share verification codes or PIN with anyone; deal with mistrust unexpected messages that ask for urgent action; check the authenticity of a message by another way before responding; and periodically review devices linked to your applications to remove those you do not recognize. WhatsApp keeps specific instructions on two-step verification and good practice at its help center ( see WhatsApp FAQ), and Signal publishes anti-phishing and impersonations ( see article by Signal).

Signal has publicly recalled that your SMS verification code is only required during initial activation and that Signal Support never contact users by asking for codes or PIN by message. Any such request should be considered a scam, and the company has asked users to report suplanting attempts in which an alleged "Signal Support Bot" or other suspicious issuers appears ( Signal's statement).

In addition to not sharing codes, there are specific measures that reduce risk: activate two-step verification or the PIN of registration that these applications offer, use screen blocks on the device, keep the operating system and apps up-to-date, and distrust short links or domains that mimic legitimate services. For organizations and senior officials, the recommended practice includes additional security controls and offline verification protocols before accepting sensitive communications.

The cybersecurity institutions also recommend that anyone suspected of being the target of this type of campaign file a complaint and follow the official guides to report the incident. In the United States, IC3 and other agencies spread notices and steps to follow; CISA maintains resources on how to identify and respond to phishing campaigns ( more information about CISA).

This type of offensive recalls that security does not depend only on robust algorithms and encryption: depends on well-informed people and processes that make it difficult to abuse confidence. Messaging technology protects transit messages, but if an attacker gets in through the user's door, the level of protection is drastically reduced. That is why, in addition to technical improvements, training and prudence are the first line of defence.

If your work or position makes it more likely to target these campaigns, consider raising security barriers and coordinating with your IT department or incident response teams to implement proactive measures. Recent public warnings are a call for attention not to lower guard: social engineering remains, in many cases, the preferred tool of sophisticated actors.