Hackers continue to successfully dupe people into clicking on Watch Lamas Onlineshady (though carefully disguised) links, thereby gaining access to the text messages, Facebook accounts, and e-mails on both computers and phones.

A new in-depth cybersecurity report -- undertaken by the cybersecurity firm Lookout and digital rights group the Electronic Frontier Foundation -- shows that professionals of all persuasions are making poor clicking decisions: military personnel, medical professionals, journalists, lawyers, and universities.

SEE ALSO: Google investigators find hackers swipe nearly 250,000 passwords a week

The perpetrators of this recently uncovered hacking scheme have been dubbed "Dark Caracal" by the report, and the cybersecurity researchers present compelling evidence that the group has been operating out of a building in Beirut, Lebanon (which happens to be owned by the Lebanese General Directorate of General Security) since 2011. Phones or computers were breached in at least 21 countries, including the United States, China, and Russia.

The hackers used common, though still sophisticated, phishing techniques to steal text messages, call records, audio recordings, photos, and other data from their targets. Broadly speaking, phishing involves hackers disguising themselves as trustworthy or known sources -- perhaps an e-mail from a bank or social media account -- and then tricking people into sharing confidential information.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said Electronic Frontier Foundation technologist Cooper Quintin in a statement.

In the case of the once-secret Dark Caracal operation, these hackers used WhatsApp messages and Facebook group links to successfully dupe people into clicking, and thereby allow spying and password collecting malware to enter their Android phones and computers. In the cybersecurity realm, these are called "waterhole attacks," in which hackers identify the specific websites or apps used by a certain group of people -- like an activist group or military organization -- and infects these sites with malware in hopes that someone will click.

For instance, Dark Caracal sent WhatsApp messages to specific individuals, suggesting that they click on a link in a message. Dark Caracal also dropped links into Facebook groups and created mock login portals for Facebook, Google, and Twitter accounts -- where some folks invariably typed in their passwords.

Successful phishing campaigns are inherently deceptive, intended to feel trustworthy and encourage interaction. These sort of operations are surely not going away -- in fact, they appear to be expanding in use and popularity.

For this reason, one can employ two simple tactics in a malice-filled web: First using two-factor authentication to add a layer of security to your e-mail and social media accounts (although this is far from full proof -- Dark Caracal appears to have even stolen 2-FA pass codes). The second is to always carry a healthy sense of distrust on the web, which in short means, don't click.

Featured Video For You
You'll need more than a diploma to work in cybersecurity

Topics Cybersecurity Facebook WhatsApp