The Internet Crime Complaint Center (IC3) has issued a warning about ongoing phishing campaigns orchestrated by cyber actors associated with **Russian Intelligence Services (RIS)**. These campaigns specifically target **commercial messaging applications (CMAs)**, leading to the compromise of individual user accounts 【1】 【1】.
**What Happened:**
RIS actors are employing sophisticated phishing tactics to gain unauthorized access to CMA accounts. They impersonate automated CMA support accounts to deceive users into clicking malicious links or providing sensitive information such as PINs and two-factor authentication (2FA) codes 【1】. Two primary methods are being used:
- **Linked Device Feature Abuse:** Attackers impersonate a contact to send a malicious link or QR code. Clicking this allows the attacker to link their device to the victim's CMA account 【1】.
- **Account Takeover:** Attackers send phishing messages to trick victims into revealing their PIN and 2FA codes, resulting in the loss of the victim's access and the attacker gaining full control of the account 【1】 【1】.
While thousands of individual accounts have been compromised, the CMAs' encryption and the applications themselves have not been breached 【1】 【1】.
**Who is Affected:**
The campaign has resulted in the unauthorized access to **thousands of individual CMA accounts globally** 【1】. The primary targets are individuals of high intelligence value, including **current and former U.S. government officials, military personnel, political figures, and journalists** 【1】. While **Signal accounts** are specifically targeted, similar methods can be applied to other CMAs 【1】.
**Security Implications:**
The primary security implication is the **compromise of user accounts**, allowing malicious actors to **view messages and contact lists, send messages on behalf of the victim, and conduct further phishing attacks** against other CMA users 【1】. Crucially, these phishing attacks can **render other security measures, including end-to-end encryption, irrelevant** by providing direct access to user accounts 【1】. Attackers may also use malware to infect victims' devices 【1】.
**Technical Details:**
The attacks involve **phishing messages disguised as automated CMA support communications** 【1】. These messages are crafted to trick users into performing actions like clicking links or divulging verification codes and PINs 【1】. This enables attackers to either add their device as a linked device or achieve a full account takeover 【1】. The methods are adaptable and can be applied to various CMAs, not just Signal 【1】.
**What Defenders Should Know:**
Defenders and users are urged to be vigilant and implement strong cyber hygiene practices:
- **Pause and Verify:** If a scam is suspected, cease all interaction and do not share codes, PINs, or passwords. Never share PINs or 2FA codes for actions you did not initiate 【1】.
- **Treat Unknown Messages with Suspicion:** Be wary of unexpected messages, even from known contacts if the request seems unusual. Block and report suspicious messages 【1】.
- **Scrutinize Links and Attachments:** Carefully inspect all links and files before clicking or opening them to avoid malware or unauthorized access 【1】.
- **Verify Group Chat Participants:** Regularly check participant lists in group chats for duplicates or fake accounts and verify authenticity through secure, alternative communication channels 【1】.
- **Utilize Security Features:** Stay informed about the security features of your CMA, such as message expiration, and enable them where appropriate and permissible 【1】.
- **Interact with Support Cautiously:** CMA support typically communicates via official email addresses and will not request verification codes or send links for account verification. Always navigate directly to the app or official website to interact with support 【1】.
- **Report Incidents:** Report suspected phishing scams to your organization's security team/IT department, the IC3 at [https://www.ic3.gov/](https://www.ic3.gov/), or your local FBI Field Office. For financial or identity fraud, also notify local authorities 【1】.
- **Victim Reporting:** If you fall victim, file a complaint with IC3 【1】. Additional resources are available from the FBI and CISA regarding spoofing, phishing, and mobile communication best practices 【1】.