Facebook and WhatsApp malware attack is yet another stark reminder: Be wary of links

Hackers continue to successfully dupe people into clicking on shady (though carefully disguised) links, thereby gaining access to the text messages, Facebook accounts, and e-mails on both computers and phones.

A new in-depth cybersecurity report -- undertaken by the cybersecurity firm Lookout and digital rights group the Electronic Frontier Foundation -- shows that professionals of all persuasions are making poor clicking decisions: military personnel, medical professionals, journalists, lawyers, and universities.

The perpetrators of this recently uncovered hacking scheme have been dubbed "Dark Caracal" by the report, and the cybersecurity researchers present compelling evidence that the group has been operating out of a building in Beirut, Lebanon (which happens to be owned by the Lebanese General Directorate of General Security) since 2011. Phones or computers were breached in at least 21 countries, including the United States, China, and Russia.

The hackers used common, though still sophisticated, phishing techniques to steal text messages, call records, audio recordings, photos, and other data from their targets. Broadly speaking, phishing involves hackers disguising themselves as trustworthy or known sources -- perhaps an e-mail from a bank or social media account -- and then tricking people into sharing confidential information.

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said Electronic Frontier Foundation technologist Cooper Quintin in a statement.

In the case of the once-secret Dark Caracal operation, these hackers used WhatsApp messages and Facebook group links to successfully dupe people into clicking, and thereby allow spying and password collecting malware to enter their Android phones and computers. In the cybersecurity realm, these are called "waterhole attacks," in which hackers identify the specific websites or apps used by a certain group of people -- like an activist group or military organization -- and infects these sites with malware in hopes that someone will click.

For instance, Dark Caracal sent WhatsApp messages to specific individuals, suggesting that they click on a link in a message. Dark Caracal also dropped links into Facebook groups and created mock login portals for Facebook, Google, and Twitter accounts -- where some folks invariably typed in their passwords.

Successful phishing campaigns are inherently deceptive, intended to feel trustworthy and encourage interaction. These sort of operations are surely not going away -- in fact, they appear to be expanding in use and popularity.

For this reason, one can employ two simple tactics in a malice-filled web: First using two-factor authentication to add a layer of security to your e-mail and social media accounts (although this is far from full proof -- Dark Caracal appears to have even stolen 2-FA pass codes). The second is to always carry a healthy sense of distrust on the web, which in short means, don't click.