FBI/CISA: Russian campaign phishing messaging apps (Signal/WhatsApp/Telegram/Messenger)
Key Questions
What is the FBI and CISA warning about Russian phishing on messaging apps?
FBI and CISA have warned of a state-sponsored Russian campaign using phishing on apps like Signal, WhatsApp, Telegram, and Messenger. Attackers impersonate support or contacts to steal PINs, codes, or SMS 2FA, hijacking thousands of high-value accounts despite end-to-end encryption. The campaign involves SIM swaps, SS7 exploits, and compartmentalized communications.
How do phishing attacks bypass end-to-end encryption in messaging apps?
Phishing targets out-of-band authentication like SMS 2FA or recovery codes, not the encrypted messages themselves. Attackers trick users into revealing PINs or codes via impersonated support messages. Even secure apps are vulnerable if account recovery relies on phone numbers.
What is Nekogram and why is it dangerous?
Nekogram is a third-party Telegram client with a discovered backdoor that steals users' phone numbers. It compromises privacy by exfiltrating contact data to unauthorized servers. Users should delete it immediately and stick to official apps.
How can I protect against SIM swapping attacks?
Enable registration locks and PINs on your carrier account to prevent unauthorized SIM transfers. Use authenticator apps or hardware keys instead of SMS 2FA. Contact your carrier to set up additional verification for account changes.
What are smishing scams and how to avoid them on WhatsApp?
Smishing involves fraudulent SMS or app messages tricking users into sharing info or clicking links, like fake job or loan offers on WhatsApp. Enable spam protection in your messaging app settings and toggle smishing blocks. Always verify contacts independently before responding.
Which apps block spoofed calls and scam texts?
Carrier apps like ActiveArmor, Scam Shield, and Call Filter detect and block spoofed calls and fraud. FTC resources recommend enabling these toggles for spam and scam protection. On iPhone or Android, adjust settings to silence unknown callers.
What are passkeys and how do they secure accounts?
Passkeys are phishing-resistant credentials using biometrics or PINs, replacing passwords and SMS 2FA. They work with FIDO standards for high-security logins on services like Google. Set them up in account security settings to prevent ATO attacks.
What general steps protect against these messaging phishing campaigns?
Hang up suspicious calls, verify contacts out-of-band, and delete third-party clients. Switch to authenticator apps, biometrics, or passkeys over SMS 2FA. Report suspicious activity and use carrier fraud tools for call blocking.
State-sponsored phishing impersonating support/contacts to steal PINs/codes/SMS 2FA, hijacking thousands of high-value accounts despite E2EE; heavy media/US agency coverage (2026-03-25/26) adds SIM swap/SS7, WhatsApp job/loan scams, smishing toggles, spoofed call blocks (FTC/carrier apps: ActiveArmor/Scam Shield), Nekogram Telegram backdoor stealing phone numbers, ATO playbooks, compartmentalized comms strategy. Urges registration locks/PINs/authenticator/FIDO/biometrics/passkeys/hang up/verify/delete third-party clients.