In the context of spam/phishing messages, we're often wired to think,

While this holds true much of the time, there was a spyware named Pegasus that made headlines recently, proving otherwise

This notorious malicious software which was named after Greek mythological horse Pegasus introduced the concept of ‘no-click’ or ‘zero-click’ hacking to devices we use, challenging our conventional understanding of digital safety

Zero-click

Zero-click techniques are a type of cyber attack where an individual's device can be compromised without the need for the user to interact with a suspicious link or message. 

Normally, we think of cybersecurity threats as something we have to "act" on, like opening a dubious email attachment or clicking a questionable link. However, with zero-click attacks, the malicious software can be installed simply through the device receiving the malicious message.

The Silent Intrusion

Individuals affected by the Pegasus breach received typical phishing or spam messages on their mobile devices, including:

• Bogus mobile boarding passes

• Fraudulent package delivery notifications

• Counterfeit Twitter news update messages

• WhatsApp Missed Calls

Although users were cautious and refrained from clicking on the links, believing themselves to be safe, this unfortunately was not the case.

Zero Day

The silent intrusion was made possible due to unknown weaknesses in software such as WhatsApp and iMessage. These weaknesses, professionally termed 'Zero-Day' vulnerabilities, allowed actors to install malicious software on your phone without even clicking a single link.

Capabilities

Pegasus is claimed to have/had following capabilities at minimum

• Intercept and read messages from applications like WhatsApp and iMessage.

• Access call logs, contacts, and browser history.

• Activate microphones and cameras to survey the physical environment.

• Track the device's location.

• Harvest information from apps, including credentials and data from banking and social media applications.

Victims

• iPhones

• Androids

The Fix

It’s worth noting that both Apple and Google have made strides in patching vulnerabilities as they are discovered, improving the security of their devices to protect against such invasive software. However, the nature of zero-day vulnerabilities means that entirely securing against unknown exploits remains a challenge.

Detecting Pegasus

Amnesty International released an open-source utility called the Mobile Verification Toolkit, designed to detect traces of Pegasus[3]. While useful, this tool requires some expert capability and should be used with care.

Cyber Hygiene Tips

What can we do to protect ourselves from such attacks in the future? To be honest, zero-day attacks are difficult to defend against, since no one knows these vulnerabilities exist in the first place. However, we can minimize their impact and reach by adhering to 'cyber hygiene principles', which include

• Perform regular updates of operating systems and security patches

• Use a reputable security software

• Stay informed on cyber security and “hygiene” perspective

Stay Alert, Not Alarmed

Our intention is not to provoke anxiety but to foster vigilance. This article aims to enhance awareness of potential cybersecurity threats, empowering you to stay alert and secure in the digital landscape.

References

[1] Amnesty Report

[2] CISA Advisory

[3] Mobile Verification Toolkit