Hackers are trying to steal Signal users’ backups in new wave of phishing attacks

Hackers are targeting Signal users successful an effort to bargain their chat backups arsenic portion of a caller hacking campaign, TechCrunch has learned. 

On Wednesday, Washington Post expert Josh Rogin posted a screenshot of a caller benignant of onslaught against Signal users, wherever hackers unreal to beryllium the app’s enactment squad and pass the people that their backed-up chats and media are “at hazard of imperishable nonaccomplishment owed to a sync issue.” To debar that, the connection said, the people needs to stock the betterment cardinal that is utilized to entree their online backups successful the chat with the hackers. 

“This links your existing backup to your account. Failure to bash this whitethorn effect successful losing entree to your relationship and each stored data,” work the connection purporting to travel from an relationship called Signal Support.

Rogin said that respective anti-Chinese Communist Party activists person received this malicious message. 

Mohammed Al-Maskati⁩, the manager astatine Access Now’s Digital Security Helpline, which investigates cyberattacks against journalists, dissidents, and quality rights activists, told TechCrunch that 2 radical shared akin messages with him. Al-Maskati said that the 2 are not Chinese activists. This suggests that the hacking run could beryllium much wide and targeting different communities, oregon determination whitethorn beryllium antithetic groups of hackers utilizing the aforesaid strategy.

It’s not wide however effectual the hacking run has been. Al-Maskati said that stealing the victim’s betterment keys for their chat backups is lone 1 measurement successful the attack, and that the hackers inactive person to instrumentality implicit the victim’s account. 

In general, this benignant of onslaught relies connected phishing targets, meaning tricking them into sharing immoderate important and backstage accusation with the hackers. In this peculiar case, the hackers are pretending to beryllium Signal’s enactment squad to exploit the target’s spot successful the app and the enactment down it.

It’s important to enactment that Signal says it “will ne'er scope out” to users first, and will ne'er ask for their registration code, PIN, oregon betterment key. That means immoderate chat pretending to beryllium coming from “Signal Support” is really coming from malicious hackers. The enactment has publically warned astir this nonstop benignant of attacks past month. 

While determination person been respective campaigns of hackers impersonating Signal enactment successful caller months, this is simply a caller benignant of onslaught due to the fact that it specifically targets backups, which tin incorporate a victim’s older chats, photos, and documents.  

Previous hacking campaigns targeting Signal users attempted to hijack a victim’s relationship and past impersonate them, often with the imaginable extremity of stealing the victim’s contacts oregon starting conversations with different radical arsenic if they were the relationship owner. In these cases, the hackers bash not get entree to past messages, since the attacks trust connected them re-registering the victim’s relationship connected a instrumentality they control. Because of however Signal is designed, older messages bash not look connected the caller device. 

Hackers tin instrumentality implicit Signal accounts by hijacking someone’s telephone number, for example. But Signal offers opt-in information features to support against that onslaught specified arsenic Registration Lock, which prevents attackers from linking a target’s fig to a caller instrumentality unless they bargain the target’s PIN. 

In that scenario, 1 mode to spot older messages would beryllium to entree a victim’s online backup, which requires the betterment key.

Last year, Signal launched Secure Backups, a caller opt-in diagnostic that lets users upload their account’s contents to Signal’s servers, which are encrypted with a betterment cardinal that the enactment says is “never shared with Signal’s servers,” and “never leaves” the users’ device. Signal says users should store the betterment cardinal securely connected a notebook oregon wrong a password manager. 

“Without your unsocial betterment key, nary 1 (including Signal) tin read, decrypt, oregon reconstruct immoderate of the information successful your Secure Backup Archive,” Signal said.

That means lone the idiosyncratic tin entree their archive successful a script wherever they registry their relationship connected a caller phone, download the encrypted backup from Signal’s servers, and past decrypt it with the betterment key. 

Signal did not respond to a petition for comment.