The Dutch intelligence agencies General Intelligence and Security Service and Military Intelligence and Security Service issued a high priority warning regarding a sophisticated phishing campaign conducted by Russian state backed actors. The operation targets senior government officials, journalists, and other high profile individuals across Europe and focuses specifically on the messaging platforms Signal and WhatsApp, applications widely trusted for their strong end to end encryption. Rather than attempting to break the encryption protecting these services, the campaign relies on social engineering to manipulate users into granting access themselves, reflecting a growing shift away from traditional malware and toward psychological and procedural compromise.
Security researchers identified two primary methods used in the campaign. The first involves attackers posing as automated “Signal Security Support” chatbots which contact users with urgent warnings claiming their accounts require verification or have been compromised. These messages imitate the visual style and language of legitimate security notifications in order to create urgency and authority. Victims are directed to malicious links or prompted to provide account information, exploiting the confidence many users place in the security reputation of encrypted messaging platforms. The approach demonstrates how trust in a platform’s technical protections can be turned into a vulnerability when attackers focus on manipulating the user rather than the software.
Quishing
The second technique exploits the legitimate linked device feature built into both Signal and WhatsApp. Attackers distribute QR codes disguised as security updates, account verification steps, or invitations to exclusive groups. When a target scans the code with their mobile application, the action silently authorizes a secondary device controlled by the attacker to link to the account. This allows the adversary to mirror conversations in real time and read messages as they are sent and received. Because the attacker operates as an approved linked instance of the account, the encryption protecting the messages remains intact while the criminal simply observes the communication stream from an authorized device.
Dutch intelligence services advise individuals at higher risk of targeting to immediately review the list of linked devices within their messaging application settings and remove any unfamiliar sessions. Enabling two step verification adds an additional barrier to unauthorized access, while skepticism toward unsolicited security messages remains essential. Requests asking users to scan QR codes or follow links to “verify” account security should be treated with caution, particularly when the message claims urgency or authority. As geopolitical tensions increasingly extend into the digital environment, operations of this type demonstrate how attackers continue to bypass advanced encryption not by defeating the technology but by persuading the user to unknowingly grant access.
- Log in to post comments