Phishing Attack Overview
A new phishing campaign is targeting Signal users by impersonating the app’s support team. The attack begins with a text message claiming to be from Signal Support, warning that the user’s account data is at risk of permanent loss due to a sync issue. The message instructs recipients to navigate to their Signal settings, enable backups, copy their recovery key, and paste it directly into the chat. This simple but effective ruse exploits the trust users place in official communications and the urgency created by the threat of losing all message history.
Red Flags and How It Works
The phishing message contains several clear warning signs. It is sent from an unverified sender labeled “Name not verified”. It repeatedly threatens the permanent loss of data to create panic. The critical red flag is the request to paste the recovery key into the chat, as legitimate Signal Support would never ask for this sensitive information. By obtaining the recovery key, attackers can decrypt the user’s secure backup archive, gaining access to all stored conversations and media stored on Signal’s servers. This allows them to read private messages and potentially impersonate the victim in future attacks.
Impact and Protection
This attack specifically targets Signal’s Secure Backups feature, which allows users to store encrypted conversation archives on Signal’s servers. Once a recovery key is compromised, the attacker can restore the backup on their own device and access all past and present communications. Users should never share their recovery key with anyone, including official looking support accounts. The only legitimate place to use the recovery key is within the Signal app itself during account recovery. Using Malwarebytes’ free Scam Guard tool can help identify such fraudulent messages before any damage is done.
Source: Malwarebytes
