Germany’s Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI) have released a joint advisory regarding a phishing campaign targeting high-profile individuals through the Signal messaging application. This campaign is believed to be orchestrated by a likely state-sponsored threat actor.
Target Profile
The phishing attacks are primarily aimed at high-ranking officials in politics, the military, and diplomacy, as well as investigative journalists across Germany and Europe. The advisory emphasizes that unauthorized access to these accounts can lead to exposure of confidential communications and potentially compromise entire networks.
Nature of the Attack
Notably, this campaign does not rely on malware distribution or the exploitation of vulnerabilities within the Signal platform. Instead, the attackers utilize legitimate features of the app to gain covert access to victims’ chats and contact lists. The attack begins with the threat actors impersonating “Signal Support” or a chatbot named “Signal Security ChatBot,” prompting targets to provide a PIN or verification code received via SMS, under the threat of data loss.
If victims comply, the attackers can register the account and access the victim’s profile, settings, and contacts. While the stolen PIN does not grant access to past conversations, it allows attackers to receive incoming messages and send messages as if they were the victim. Victims are then misled into creating a new account, losing access to their original account.
Alternative Attack Vector
An alternative method involves tricking victims into scanning a QR code, which grants attackers access to the victim’s account, including messages from the past 45 days. In this scenario, victims remain unaware that their chats and contacts are compromised.
Broader Implications
The BfV and BSI have indicated that while the current focus is on Signal, similar tactics could be applied to WhatsApp, which shares comparable device linking and PIN features. The advisory warns that successful access to messaging accounts can lead to viewing confidential communications and potentially jeopardizing entire networks through group chats.
Although the identity of the threat actors remains unconfirmed, previous reports have linked similar attacks to Russia-aligned groups. Users are advised to avoid engaging with support accounts and to refrain from sharing their Signal PIN. Enabling Registration Lock and regularly reviewing linked devices are recommended as preventive measures.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
