Zero-Click Attacks. How Dangerous are They?


What is a zero-click attack and why is it dangerous? 

This is an attack that does not require any action on the part of the victim. To carry out classic phishing or malware attacks, hackers must somehow get the victim to click on a fake link or download and run malware. A zero-click attack is almost invisible, it uses vulnerabilities in the OS to execute malicious code. It is enough for an attacker to simply send a message with malicious code to the victim's device, which allows even to cause damage even to the most cautious users.  

How do zero-click attacks work?

Attackers send malicious data via email or instant messengers inside files, images, and text messages that the system considers harmless. 

- The hacker discovers/exploits an already known vulnerability in the email/messenger application; 

- Sends an email with a file/text message containing a data package for exploiting a vulnerability and injecting a malicious program; 

- The spyware attaches itself to the victim's device; 

- The hacker's email is deleted. 

Security measures designed to protect users can actually facilitate zero-click attacks. In end-to-end encrypted messengers, it is difficult to detect an attack because only the sender and recipient can see the contents of the data packet being sent. 

Who uses zero-click attacks and why? 

They are used for espionage, not only by cybercriminals but also by government agencies. Journalists, politicians, and businessmen often become victims of zero-click attacks. The most famous program for carrying out zero-click attacks is Pegasus from the Israeli company NSO Software. 

How to protect yourself from zero-click attacks? 

If an attack is aimed at you, then it is almost impossible to defend against it. But we can give you some security tips that will increase your overall protection and help mitigate the effects of a zero-click attack. 

- Update your applications and systems regularly; 

- Pay attention to app reviews and information about developers; 

- Use multi-factor authentication to access important websites, email, and social networks; 

- Don't use the same password for all accounts; 

- Use browser extensions to block pop-ups and spam, as hackers often use them to spread malware. 

- Back up all your data regularly and keep it separate from your main hard drive.