The internet is a vast, constantly evolving landscape we are yet to understand fully, and it’s not getting any more predictable. For the longest time, we had enough reasons to believe that cybercrimes mainly resulted from human error. So, most of our efforts focused on the basic dos and don’ts. This included installing an antivirus and ignoring all unknown emails and links. These tricks still work well—but new dangers are emerging that will need mastering.
The recent data leak at Israel’s NSO Group has spotlighted zero-click attacks, which was the primary feature of its software, Pegasus. Zero-click attacks are one of the most sophisticated ways of spying on an individual and can infect a phone without any human interaction. They are targeted, impactful, and highly dangerous.
Demystifying Zero-Click Attacks
When we think of a cyberattack, the first few words that pop up in our heads are malicious links, spam websites, or fraudulent app downloads. The malware infects the device because you inadvertently take some action on these links or websites. Zero-click attacks work differently because they require no effort on the part of the user.
Zero-click attacks take place when hackers identify vulnerabilities or loopholes present in software or devices. Then, to compromise user data, they frame ways to infect a phone. For example, messages or emails may be sent, which the user may not even need to click for the malware to be downloaded. Similarly, a missed call can also do the trick. This is what makes zero-click attacks so dangerous—recognizing the hack is next to impossible, and it rarely leaves its trace.
Once hackers access a device, they can exploit it to read call logs, track activity, steal passwords, find out the location, look at messages, emails, etc.
Some time back, a WhatsApp vulnerability allowed Israeli threat actors to inject spyware into phones. A WhatsApp call was enough to compromise a device, regardless of someone answering it or not. Moreover, once attacked, the malware would remove any history related to the call. Thus, the detection was out of the question.
Who Can Be a Victim?
Any device with vulnerabilities is susceptible to a zero-click attack. But generally, a select group of individuals are the primary targets. For instance, NSO Group, which manufactures Pegasus, mentions that its clients should use spyware to prevent terrorism and serious crime. Unfortunately, recent reports have highlighted how Pegasus was (mis)used to spy on high-profile individuals like leaders of the opposition, top businessmen, and journalists.
Attacks also depend on the kind of vulnerabilities present and the extent of information collection required. For example, the cost of Pegasus was relatively high and governments were the only clients. However, a former iOS email bug was enough to target any device with ease. Consequently, everyone should be wary of zero-click attacks and have safety measures in place to combat them.
Preventing Zero-Click Attacks
When you’re dealing with zero-click attacks, you need to be on your toes. These hard-to-detect cyber attacks exploit the inherent loopholes of an operating system. Developers and device makers have to constantly monitor new bugs and ensure their timely patching. In addition, updates need to be rolled out actively in case any attack is sensed.
As a user, your phone and apps must be up-to-date so that new security patches are present. Additionally, you should take the usual precautions, such as not clicking on unknown links, downloading anything from spammy sites, and being cautious of any signs of attack.
Additionally, since most zero-click attacks target a particular section of people, the general public may relatively be safe. That should not, however, mean that one puts their guard down. On the contrary, complacency should be the last thing on your mind.
As users, we sometimes fail to recognize that today, more than our personal computers or laptops, our mobile phone is susceptible to attacks. It is a lucrative target since we use it so often, and it holds critical information.
Zero-click attacks are a testament to the new and sophisticated ways in which cyber attacks are taking place. The Pegasus case has further highlighted the need for all stakeholders to be highly vigilant and cautious of their devices. Zero-click attacks may not be as frequent as other cybercrime today but can make headlines in the near future.