Introduction
The UK's National Cyber Security Centre (NCSC) has issued a critical security alert warning of sustained attacks targeting "high-risk individuals" via encrypted messaging platforms WhatsApp and Signal. While the underlying infrastructure of these platforms remains robust, the advisory highlights a sharp rise in social engineering campaigns designed to bypass technical controls by manipulating the user.
Attackers are actively exploiting the "number change" feature, initiating a transfer of a target's account to a device controlled by the threat actor. This triggers a verification SMS sent to the victim. The attacker then employs social engineering—often masquerading as a known contact or technical support—to trick the user into divulging the SMS verification code. Once obtained, the threat actor completes the transfer, locks the victim out, and gains access to the entire message history and contact list. Given the sensitivity of communications handled by high-value targets (journalists, C-suite executives, political figures), defenders must treat this as an active Account Takeover (ATO) threat.
Technical Analysis
Affected Products and Platforms
- Platforms: Signal (Android, iOS, Desktop), WhatsApp (Android, iOS, Desktop).
- Scope: All versions are theoretically susceptible to the social engineering vector, as the attack leverages legitimate application features (account registration/migration) rather than a software vulnerability.
Attack Chain and Exploitation Status
- Initial Reconnaissance: Attacker identifies the target's phone number via OSINT or public records.
- Trigger Event: Attacker initiates an "Install on New Device" or "Number Change" request within the Signal or WhatsApp app interface using the victim's phone number.
- User Notification: The victim's active device receives a system notification stating that their account is being moved, along with an SMS verification code.
- Social Engineering (The Exploit):
- Tactic: The attacker sends a message (often via SMS or a compromised contact) stating they have accidentally sent a code to the victim's phone and urgently need it.
- Psychological Trigger: Urgency and familiarity.
- Account Takeover: The victim relays the code. The attacker inputs it, effectively hijacking the account. E2EE keys are regenerated, and the victim is logged out.
Exploitation Status: Confirmed Active Exploitation. While not a CVE-exploitable bug, the NCSC alert confirms this Tactic, Technique, and Procedure (TTP) is currently in use against high-value targets.
Detection & Response
Since the primary vector is social engineering, automated detection relies heavily on identifying anomalies in the endpoint behavior of the desktop clients or correlating authentication triggers. However, defenders should monitor desktop clients for signs of abuse, such as process injection or unusual child processes, which may indicate an attacker attempting to expand access from a compromised endpoint to the messaging application.
SIGMA Rules
---
title: Potential Signal or WhatsApp Desktop Process Injection
id: 9e8f7d6c-5b4a-4e3d-8c2b-1a0f9e8d7c6b
status: experimental
description: Detects potential code injection or exploitation of Signal/WhatsApp desktop clients by identifying suspicious child processes (cmd, powershell) spawned by the application.
references:
- https://www.ncsc.gov.uk/news/organisations-urged-to-alert-staff-to-whatsapp-signal-scams
author: Security Arsenal
date: 2024/05/15
tags:
- attack.execution
- attack.t1059.001
- attack.defense_evasion
- attack.t1055.002
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\WhatsApp.exe'
- '\Signal.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
condition: selection
falsepositives:
- Administrative troubleshooting (rare)
level: high
---
title: Unusual File Access by Messaging Clients
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects Signal or WhatsApp accessing sensitive files outside their standard directory, potentially indicating data staging or credential theft.
references:
- https://www.ncsc.gov.uk/news/organisations-urged-to-alert-staff-to-whatsapp-signal-scams
author: Security Arsenal
date: 2024/05/15
tags:
- attack.collection
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection:
Image|endswith:
- '\WhatsApp.exe'
- '\Signal.exe'
TargetFilename|contains:
- '\AppData\Local\Microsoft\Credentials'
- '\AppData\Roaming\Microsoft\Credentials'
- '\AppData\Local\Google\Chrome\User Data\Default\Login Data'
condition: selection
falsepositives:
- User initiating manual file transfer (verify with user activity)
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for suspicious child processes spawned by messaging apps
DeviceProcessEvents
| where InitiatingProcessFileName in ("WhatsApp.exe", "Signal.exe")
| where FileName in ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, ProcessCommandLine, InitiatingProcessVersionInfoCompanyName
| order by Timestamp desc
Velociraptor VQL
-- Hunt for suspicious process relationships involving messaging apps
SELECT Pid, Name, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName, Username
FROM pslist()
WHERE Parent.Name in ("WhatsApp.exe", "Signal.exe")
AND Name in ("cmd.exe", "powershell.exe", "pwsh.exe", "bash", "sh")
Remediation Script (PowerShell)
Note: This script checks for the installation of these desktop apps and outputs a user-specific hardening reminder, as API automation for social engineering defenses is limited.
# Audit: Check for Messaging App Installations and Prompt Hardening
Write-Host "[SECURITY AUDIT] Checking for High-Risk Messaging Applications..." -ForegroundColor Cyan
$appPaths = @(
"$env:LOCALAPPDATA\WhatsApp\WhatsApp.exe",
"$env:LOCALAPPDATA\Programs\signal-desktop\Signal.exe"
)
$foundApps = @()
foreach ($path in $appPaths) {
if (Test-Path $path) {
$foundApps += Split-Path $path -Leaf
}
}
if ($foundApps.Count -gt 0) {
Write-Host "[!] DETECTED: " ($foundApps -join ", ") -ForegroundColor Yellow
Write-Host "[ACTION REQUIRED] Due to active NCSC warnings regarding account takeovers:" -ForegroundColor Red
Write-Host "1. Enable 'Registration Lock' (PIN) in Signal Settings > Account > Registration Lock." -ForegroundColor White
Write-Host "2. Enable 'Two-Step Verification' in WhatsApp Settings > Account > Two-Step Verification." -ForegroundColor White
Write-Host "3. NEVER share an SMS verification code, even if requested by a 'contact'." -ForegroundColor White
} else {
Write-Host "[+] No supported desktop clients found." -ForegroundColor Green
}
Remediation
To defend against this specific social engineering threat, Security Arsenal recommends the following immediate actions for high-risk users and the broader organization:
-
Enable Secondary Verification (PINs):
- Signal: Enable "Registration Lock" (Settings > Account > Registration Lock). This requires the PIN in addition to the SMS code to re-register the number on a new device, effectively neutralizing the SMS-only hijacking attempt.
- WhatsApp: Enable "Two-Step Verification" (Settings > Account > Two-Step Verification).
-
Security Number Verification:
- Verify the "Safety Number" or "Security Code" with high-value contacts via a secondary, trusted channel (voice call or in-person) to detect man-in-the-middle scenarios or account hijacks.
-
User Awareness Training:
- Explicitly warn users about the "accidental SMS" scam. Emphasize that legitimate support will never ask for a verification code sent to their device.
-
Review Linked Devices:
- Instruct users to periodically review "Linked Devices" in both apps and remove any unfamiliar sessions immediately.
-
Mobile Carrier Hardening:
- For executives, enable carrier-level PINs on mobile accounts to mitigate SIM-swap attacks that facilitate the initial account transfer.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.