What is a zero-click attack and why is it dangerous?
This is an attack that does not require any action on the part of the victim. To carry out classic phishing or smishing attacks, hackers must somehow force the victim to click on a fake link or download and run malware. And the zero-click attack is almost invisible – it uses vulnerabilities in the OS to execute malicious code. It is enough for an attacker to simply send a message with malicious code to the victim’s device, which allows even the most cautious users to attack unnoticed.
How do zero-click attacks work?
Zero-click attacks exploit vulnerabilities of data validation functions in applications and OS. Any system analyzing the received data is vulnerable to such an attack. Attackers send a malicious data packet by email or via messengers inside files, images and text messages that the system considers harmless.
The attack goes like this:
- A hacker discovers/exploits an already known vulnerability in an email application/messenger;
- Sends an email with a file/text message containing a data package for exploiting the vulnerability and introducing malware;
- The spyware is fixed in the victim’s device;
- The hacker’s email is being deleted.
Security measures designed to protect users can actually contribute to zero-click attacks. In messengers with end-to-end encryption, it is difficult to detect an attack, because only the sender and recipient can see the contents of the data packet being sent.
By whom and for what are zero-click attacks used?
They are used for espionage, not only by intruders, but also by government agencies. The victims of zero-click attacks are often journalists, politicians and businessmen. The most famous program for zero-click attacks is Pegasus from the Israeli company NSO Software.
How to protect yourself from zero-click attacks?
If the attack is aimed at you, then it is almost impossible to defend against it. But we can give you some security tips that will increase your overall protection and help mitigate the consequences of a zero-click attack.
- Update your apps and systems regularly;
- Pay attention to the reviews about the application and information about the developers;
- Use multi-factor authentication to access important websites, email, and social networks;
- Don’t use the same password for all accounts;
- Use extensions to block pop-ups and spam in the browser, as attackers often use them to spread malware.
- Make regular backups of all data and store them separately from the main hard drive.