A basic IT security guide for Maltese boomer journalists who fall for primitive Whatsapp phishing

This weekend, MaltaToday editor Kurt Sansone and RTK103 talk show host Andrew Azzopardi fell victim to what they initially claimed to be WhatsApp ‘hacks’.

A Times of Malta article published on Saturday afternoon revealed how there was not much ‘hacking’ involved in the exercise targeted at taking over their accounts.

In fact, Sansone and Azzopardi fell victim to phishing – a simple yet effective form of social engineering – by being tricked into sharing sensitive data.

The journalists, among others who may have been targeted for being connected to them, were simply manipulated into giving access to their accounts themselves.

Sansone told Times of Malta he coincidentally had been “discussing a gate access code” with a friend before he received and forwarded a six-digit code.

Similarly, Azzopardi said he made the same mistake in reaction to an “urgent” message seemingly received from a friend who had been “in and out of hospital”.

The six-digit SMS codes received from WhatsApp were in fact requested by criminals who had already been able to take over the accounts of those friends of Sansone and Azzopardi.

Both journalists then unsuspectingly forwarded what actually were their own Whatsapp recovery codes to the compromised accounts of their contacts.

This may have allowed criminals to download copies of all their WhatsApp chats, photos, videos, documents and contacts in a matter of minutes.

Sansone and Azzopardi somehow failed to mention how the WhatsApp recovery code SMS they had received must have warned them “If you didn’t do this, don’t share this code with anyone”.

A previous wording of those recovery messages, as shown above, even ordered users in no uncertain terms “Don’t share this code with others”.

“There’s a sense of urgency we’ve created around social media that can cloud our judgement”, Andrew Azzopardi – Dean of the Faculty for Social Wellbeing – externalised his lack of judgement in the incident.

Kurt Sansone, who also serves as vice-president of the Institute of Maltese Journalists, admitted “I am still kicking myself”, adding “it is very frustrating because now my contacts are at risk, and I can’t do anything about it”.

Phishing can work on anyone of us if we’re being caught on the wrong foot.

However, the question is whether journalists – who have great responsibility towards their contacts and sources – can allow themselves to be caught on the wrong foot, especially in the environment we’re currently working in:

It is no news to anyone within the media sector that a number of colleagues have been followed by individuals they identified to be part of both the Labour Party and the Malta Security Services.

Some of them said they are well aware that they and their families had even been spied on from outside their homes on several occasions – not exactly as a measure for their own safety.

Malicious attempts of gaining access to local journalists’ and media houses’ email accounts, web servers and social media accounts have increased.

It is also known within the industry that these incidents sharply increased mid-way through the last election campaign, seemingly orchestrated with Robert Abela’s ‘Establishment‘ rants against journalists and members of the judiciary.

It might be for this very reason that the vice president of the journalists’ institute, representing the media workers of this country, might kick himself even harder while reading this piece.

We must never allow ourselves to drop our guard because we perfectly know the environment in which we work.

You may now rightly be wondering why you haven’t read about anything of this in the news. The answer is that those affected believe this is not the time to make journalists the center of a scandal again. I strongly disagree. When if not now?

You may also rightly be wondering how you could ever be able again to trust a Maltese journalist’s IT security level when submitting sensitive information that could expose yourself to the entity you’re working for or to the general public.

Several months ago, NEWZ.mt tightened IT security measures due to these observations and at the slightest hint of increased phishing attempts against our servers and accounts.

Unlike other local editors have done in the past, I will not boast about targeted attacks against NEWZ.mt unless hard evidence surfaces of hacking attacks specifically aimed at my internal or external IT infrastructure.

But I’ve done my homework both with the responsibility of a journalist vis-à-vis everyone who wishes to get in touch with me in order to submit sensitive information – and as a private person.

To be very clear: there isn’t and never will be a 100 percent guarantee that your online communication with journalists is safe from other’s eyes and ears.

However, journalists with a basic and up-to-date understanding of cybersecurity, who know how easily they could compromise the security of others if they don’t follow simple guidelines,

– never click suspicious links,
– never forward any codes,
– never use public Wi-Fi,
– never turn on Wi-Fi and Bluetooth in public,
– always use very strong passwords,
– always use different ones for every platform,
– always use two-factor authentication,
– always use VPN or Double VPN on all devices,
– and will always tell you, the source, to share sensitive information over Signal rather than any other messaging app.

There you go.