Russian intelligence services are targeting Signal, WhatsApp, and Telegram users through phishing, linked-device abuse, and backup recovery key theft — not by breaking encryption.
Shared Security is the the longest-running cybersecurity and privacy podcast where industry veterans Tom Eston, Scott Wright, and Kevin Tackett break down the week’s security WTF moments, privacy fails, human mistakes, and “why is this still a problem?” stories — with humor, honesty, and hard-earned real-world experience. Whether you’re a security pro, a privacy advocate, or just here to hear Kevin yell about vendor nonsense, this podcast delivers insights you’ll actually use — and laughs you probably need. Real security talk from people who’ve lived it.
Welcome to the Shared Security Podcast, the longest running cybersecurity and privacy
show for actual humans.
No jargon, no hype, just honest analysis from industry veterans who've seen everything
and survived it.
Each week we break down the stories that matter, expose the nonsense that doesn't, and give
you the tools to stay safe in a world where everything is connected and nothing
is guaranteed.
This is Shared Security.
Russian intelligence services are actively targeting signal WhatsApp and Telegram users
not by cracking encryption, but by stealing people's accounts through phishing, QR code
tricks, and backup recovery key theft.
Now the FBI put out a urgent PSA about it, the US government posted a $10 million bounty
on the hackers.
And the lesson here is one we've been saying on this show for years.
The encryption is only as strong as the person holding the key.
But before we get into all of that, I do have a little personal announcement that I would
like to make.
But quantifies as a personal announcement since both of us are involved?
Yes, and Kevin has involved with this announcement as well, but as you know, or hopefully
you may have seen my post on LinkedIn, but I had recently resigned from my role
at Sneak, and I have accepted a new role at Secure Ideas working with Kevin Tackett.
We know that place.
Yeah, I know, it's weird.
We know that place for some reason, but I am now the executive director of consulting
at Secure Ideas, which makes Kevin my boss.
So I mean, it just worked out that way.
The thing that I don't know, I really don't like the title boss.
Yeah, boss has a negative tone to it.
Yeah, you're my supervisor.
You're my.
I guess.
But I don't want that either.
And I think one of the main reasons I don't like it is, as you and I have talked about
and I feel free to share this kind of thing, is that, you know, the main goal of bringing
you in is to help us employee, build whatever the words are, are consulting business processes,
procedures.
And like we talked about in that, I'm going to listen to you, right?
You know, I accidentally built a company over almost 16 years.
You've purposefully built teams doing these things.
I feel like purposely trumps accidentally.
I feel like this is a sales pitch between, you know, expanding
in the QSA stuff with Jeff and having you, you know, I guess the question people should
be asking is which podcast is going to announce our next hire since.
Jeff, who now?
Tavis on Security Weekly, you've announced your year.
So if you run a podcast and you'd like to announce somebody joining Secure Ideas, reach
out.
Yeah, we'll get out of third podcast.
Why not?
Pretty excited about it.
I, we, you and I have talked for years about you coming on board.
Literally.
Tom turned down a job years ago.
I do.
Basically, he did it politely, but what we all knew was he didn't want to put up with
me day to day.
The reality actually was I just, it was the wrong time, maybe.
I don't know.
Like, I think it's going to be great, but yeah, I might be biased, but I think Secure
Ideas is pretty friggin cool.
And I think you joining it makes it cooler.
So yes.
Thank you.
I'm excited.
Thank you, Kevin.
I am really glad to be finally working at Secure Ideas and I can actually call myself
professionally evil officially.
Yeah.
You've always been professionally evil.
Yeah.
I mean, we were talking about it the other day, right?
You were wearing a professionally evil shirt and I'm like, yes.
I think those were only available to employees and I couldn't, you got one.
From that announcement, let's move on to our story.
Yes.
We're talking about the signal.
Those darn Russians.
I know.
And I want to preface this with like, this is a very targeted attack that's happening.
And of course, like we always say, go back to your threat model, right?
Like if you're, obviously if you're a journalist, if you're working in the governments,
you have a certain position or level, you know, this could be a concern for you,
but you know, if you're an average Joe user using a secure messaging app, this may not
apply or it may.
It just depends.
And I think the theme of this story is around some of the new phishing attacks we've seen
around recovery keys and the recovery codes.
To me, it feels like the core of this story.
Not so much the, oh my gosh, Russian hackers guys.
They're targeting us.
We're all doomed.
What I always get a kick out of is the minute you start talking about Russian something.
I find that you get three reactions.
The first reaction is the one that I think is reasonable and that is, hey, okay, this
specific instance is Russian hackers.
Is it something specific to Russia or is it something like that kind of thing?
Like, yeah, like let's think about it.
Let's talk about it.
Let's look at facts.
The second reaction you get is the news, you know, you hate Russia, whatever, and we can
ignore those idiots.
And then the third reaction is one that I'd like to ignore, but you really can't.
And this goes to, I disagree with your list of people who should be worried about this.
I want to add an additional category of people.
And that is the people who are responsible for IT and security at an organization with
a hysterical CISO or CTO or CIO.
The one that runs out of the room and says, oh, my God, I heard this about this and everything.
They need to be prepared for this as well.
Oh, yeah.
Their preparation is just calm down, relax.
Let's look at our risk model.
Let's look at our threat.
Right.
Um, but but really, I think to me, and I believe you, you've called this out
that the main primary thing that people should be focused on is not, hey, fishing is bad,
whatever, but keep in mind that no matter how secure the transmission is, the end points
are your weakness.
And please don't even say the users, right?
Like if I have control of your phone and I can get into the system, the app, I can
see the messages.
I've got control of the other end.
I can see the messages.
I just I just had a conversation with the Huffington Post.
I was interviewed on the Huffington Post for an article about WhatsApp doing usernames
or some crap like that.
It's like, I'm glad WhatsApp, the horrible application is now catching up with every
other messaging rights world, but when I was talking to the reporter, great, great
person really, really understands what she's talking about and looking at.
We were having the conversation and it was like, hey, look, I don't care how secure
something is no matter how good it is, right?
If the user falls for a scam, if the user or the end point is is compromised, the rest
of it does it irrelevant to the conversation.
And so when we were talking about, you know, phone numbers being publicly available
and used for scams and stuff like that.
But in this case, that ties directly to it, right?
If I know how to reach you, if I can get control of that.
And I think that's where people need to think more about their risk model
because I've talked to too many people about when they say, well, but it's encrypted.
It's like, not when you're looking at it.
I think that is they got in as interesting the way the attacks work
are interesting and everything else that, but really, I want I want people to walk
away from it with the idea of, man, end points are critical.
So I've been absolutely, you know, yeah.
I mean, it's just like with Signal as well.
Like, yes, Secure is a secure messaging app.
But if someone gets access to your phone physically and can access your app,
it's game over, right?
Like the encryption doesn't matter at that point, right?
It's the same thing with these types of attacks.
If you are fished, giving away either credentials or recovery
key codes or any of that thing, like you could have the best, most secure
app in the world, but it's the end point.
Right? Well, and, you know, I don't know about you, but, you know,
I get, I use Signal very often.
Well, I guess I do know you do as well, but.
Mobile apps are just part of everyday life now.
Banking, health care, shopping, entertainment, you name it.
And with that comes a lot of trust because users are putting
their personal data directly into your app.
But here's the reality.
Mobile apps are a growing target.
A recent survey found that 72% of organizations experienced
a mobile app security incident last year and 92% say threats are only increasing.
And the way attackers are going after apps is pretty sophisticated.
They're reverse engineering them, modifying them and redistributing
fake versions through fishing campaigns, side loading and even third
party app stores.
So from a user's perspective, everything can look completely legitimate.
That's why taking a proactive approach to mobile app security really matters.
You want to stay ahead of these threats, not react after the damage is done.
This is where Guard Square comes in.
They provide advanced protection for both Android and iOS apps,
along with automated security testing to catch vulnerabilities early
and real time threat monitoring so you can actually see what's happening out there.
If your mobile app is critical to your business, and it probably is,
this is something worth paying attention to.
You can learn more at GuardSquare.com.
That's GuardSquare.com.
Since we've messaged each other on signal, but let's not go there.
I use it quite often and very often when I go into it, it says to me,
hey, you know, vet your pen, rotate your backup keys, whatever.
You know, it's giving you those popups.
And that's, I want to be clear.
I'm not saying that's bad.
I think it's good that it does it.
I just wish it gave a little bit better explanation somewhere.
And maybe I'm missing it of why you want to do that,
because I think that this attack showcases
some level of misunderstanding what can happen with a backup recovery key.
Right.
Yeah, I, you know, I have talked to people
that that they just think that's a thing they use
to make sure their messages are backed up and it's like, no, no, no.
Like this, this is how you get access to the backup,
which means I can restore the messages, which like we saw in this attack was what happened.
I those popups are great as a reminder to do something and whatever.
And I cannot believe the words those popups are great came out of my mouth.
It did. Understand what those things mean.
Understand why your pen is so important, why those keys are so important and go from there.
Yeah. And where you store those backup recovery keys is also important.
You mean having my browser memorize them is not good?
Yeah, no, that's not good. That's not good.
I would recommend putting those into a password manager
or like I've actually said to people like, you know,
we've had this conversation too about writing them down into a notebook
actually may be more secure.
And I know we've talked about passwords writing down passwords and notebooks,
especially for elderly and other people,
because that is a trope in my opinion of, you know,
misinformation of like, oh, don't write passwords down.
That's bad. Well, it depends on the context and depends on the person
and all these other things. So but same thing goes for recovery key codes.
But I would say that
especially in this instance in the way like signal how it works
with the recovery key codes, even if you do create a new account,
those codes are still valid.
Like it doesn't invalidate over a new account.
You have to actually recreate the recovery key code.
So we'll link in the show notes.
There's some good articles on just like if you do want to change this
or if you think you are a victim of this or whatever, right?
Some reference for you.
But just be careful, you know, if you get a message from signal
support or WhatsApp support or whoever, right?
Like first of all, supports never going to really message you
on these apps in the first place.
Real message from signal support, right, right.
And they will never ask you to copy your recovery key codes
and paste them into a chat.
Secondly, so those should be some red flags to definitely look out for.
They should be. They should be.
Yes, just like someone asked you, hey, send me your password
so I can secure your account.
Yeah, no audit. Don't do that.
Send us all your and if you're going to send your backup recovery key
to somebody, send them to Tom, he likes collecting.
Yeah, yeah, send them secure ideas.
We would appreciate that. No, no, no, no, no.
I'm kidding. All right.
Well, I think that's all we have time for today.
Oh, one more thing, just a plug real quick.
If you have not signed up for the shared security newsletter,
please do so.
You can sign up at shared security dot net slash newsletter.
And we do send that out weekly now.
So you get a nice recap of the episode
and you also get some other stories that we find relevant
or interesting that I kind of curate each week.
So definitely check that out
if you have not signed up for the newsletter.
And with that, I think that's all we have time for today.
Thank you, Kevin. Thank you.
And looking forward to working with you.
Well, we'll make you regret that.
You'll probably hear more fun, secure idea stories on the show.
Not that we haven't been talking about that for years,
but now that I'm part of the team, I thought it was funny.
The conversation we had, I think it was Monday,
might have been Tuesday, where it was like, you know,
all those stories we've talked about, you'll now know who they're about.
I know. I know how the sausage is being made now.
So I like sausage. I do, too.
All right. Well, thanks for listening, everyone.
And until next time, stay safe, stay secure and stay private.
Thank you for listening or watching.
If you like this episode, hit subscribe,
share it with your friends and colleagues
or jump into our community at sharedsecurity.net
slash supporter to keep the conversation going.
Thanks again, and we'll see you next week
for another episode of shared security.