SignalMar 9

We are aware of recent reports regarding targeted phishing attacks that have resulted in account takeovers of some Signal users, including government officials and journalists. We take this very seriously.

To be clear: Signal’s encryption and infrastructure have not been compromised and remain robust. These attacks were executed via sophisticated phishing campaigns, designed to trick users into sharing information – SMS codes and/or Signal PIN – to gain access to users’ accounts.

Show threadSignalMar 9
These attacks, like all phishing, rely on social engineering. Attackers impersonate trusted contacts or services (such as the non-existent “Signal Support Bot”) to trick victims into handing over their login credentials or other information. To help prevent this, remember that your Signal SMS verification code is only ever needed when you are first signing up for the Signal app.
Show threadKevin Karhan Mar 9

@signalapp yes, and you have control over all the #Signal usernames, so it's your failing to prevent thode that happen inside your platform!

  • I know that like any decent system you can block keywords and strings from usernames, display names and so forth.
    • If not tuey ou truly are criminally incompetent!
Kevin Karhan :verified: (@[email protected])

@[email protected] those attacks.would've not.been successful if you weren't a #proprietary, #centralized, #SingleVendor / #SingleProvider *"solution"* that doesn't do #SelfCustoy of all the.keys nor allows for #SelfHosting nor demands #PII like #PhoneNumbers that can be leveraged for that. - You know what I need to use @[email protected] / #monoclesChat or @[email protected] / #XMPP+#OMEMO? - Internet connection and an account on any server. Can't #phish if one doesn't have credentials for #phishing attacks ffs! - Can't get #phished if noone demands, stores, process or even demands such details in the first place! Also which #Government is that incompetent to not be able to setup their own comms?

Infosec.Space
Show threaddivVerentMar 9
@signalapp @kkarhan I then hereby register myself as incompetent.

First I will just block "Signal Support".

Then I will block all with "Signal" in it, and be hated by "Rescue Signal Inc.", "Weak Signal Detector" and "Signal Noise Ratio". But people will get over it.

Then I will also block Signаl, which looks the same but is encoded differently. Damn russian hackers with their alphabet.

Next Turkish hackers will succeed with their phishing campaign using the name Sıgnal, so I will block those.

And after all this I will sadly witness that people even fall for Signa|, S!gnal, Singal, Sagnil and Signel, so I will block all those too.

In the end the journalist "Jesse Singal" will sue me to death because I blocked them.

I really know no good way to avoid this. Best I can think of is having a special icon only the real Signal support can use - but then people who do not know about it will keep falling for it.
Show threadKevin Karhan Mar 9

@divVerent The problem is that @signalapp mandates #PII like #PhoneNumbers, which is critical for said #phishing...

#Signal can spout all their "#Metadata" - #FUD all day but in the end they fall under #CloudAct and will snitch on users because if they didn't it would've been a statistical inevitability that @Mer__edith and #Moxie would've been in jail and Signal shutdown like #EncroChat was.

  • Make of that what you will, but demanding a #PhoneNumber [which is either directly ("#KYC!") or indirectly / circumstantially linked to a person should be seen as *THE BIGGEST RED FLAG for any service.
    • It's like asking for an #ID at a store not as means to "verify age" with like a #DOB & Photo on something not trivial to forge but rather demanding someone's address just to buy a beer!
Show threaddivVerent
@kkarhan @signalapp @Mer__edith I do boycott Signal for the same reason - I will not use a messenger that requires a phone number.

Also because my phone number already changed like 5 to 10 times in my life. It simply sucks as an identifier.

But this has nothing to do with the attack in question, and nothing at all with control over usernames as you alluded to in your previous post. You can literally attack every service that does SMS 2FA with that (also a good reason to not do SMS 2FA, neither any other phone number identified 2FA - as it means that all you need for a good phish is the the phone number, which both allows you to attempt account recovery and is also a communication channel from you to your victim. I can list a bunch of services that are very likely vulnerable to the exact same attack:

- Telegram
- WhatsApp
- Gmail
- Your bank account (in particular basically all US banks)
- GitHub

Personally I am still using #Matrix, but I don't quite like it either. The protocol is overengineered and all clients suck (and there aren't even many clients to begin with that actually work, which is specifically the case because the protocol is so messy).

I actually had used XMPP before, but for me it kinda died when mobile devices came along and XMPP didn't learn a good way for push notifications without keeping a TCP connection to the service open at all times . Really sucks when e.g. being on a train. Seems XEP-0357 from 2020 fixes that (not sure if it by now has a good story for multi device + offline messages, so you can connect sometimes with this device, sometimes with that one, and see full message history from both, and can also receive messages when none is online), but that shows the other problem of XMPP: everything is an extension and you can never know which feature set your server supports, and then you also need to know which feature set works with the people you talk to... IMHO they should collect a good set of XEPs and name it Jabber 2.0 or whatever, then servers and clients at least know what to align to. With that XMPP would actually have good chances at replacing Matrix.
Mar 9 at 8:02pmWeb
Show threadKevin Karhan Mar 9

@divVerent @signalapp @Mer__edith Yeah, I know folks that have changed phone numbers more frequent than addresses, license plates, employers and cars in the same time...