Hackers created a fake security service.
Telegram is under attack by scammers again. Cybercriminals have developed a new scheme for hijacking accounts, disguising themselves as the messenger's security service. They send messages on behalf of a user with the nickname "Security" and a Telegram avatar, convincing them to follow a link to protect their data. However, in reality, the victim is redirected to a fake site with a QR code, which gives the attackers full access to the account.
How the scheme works
The user receives a message from the fake account "Security".
The text contains a link leading to a phishing site stylized as Telegram.
This site offers to log in to the account by scanning a QR code.
If the user follows the instructions, the scammers get the opportunity to log in to their account and take control.
Thus, hackers gain access to all correspondence, and if the victim's account is linked to channels or groups, they can take over those as well.
Is this something new?
No. Similar attacks have been recorded before. In 2023, scammers sent messages allegedly from Telegram support warning about a request to delete an account. To cancel the deletion, they were asked to follow a link and enter a phone number with a confirmation code. This way, the criminals gained full control over the account.
Even earlier, in 2019, Group-IB researchers reported multiple cases of hacking Telegram accounts. Back then, the criminals did not use phishing sites, but intercepted SMS login codes through vulnerabilities in mobile networks. Users who did not use a cloud password and relied only on SMS to log in were especially vulnerable.
A new level of threats
If earlier scammers had to hack telecom operators or intercept SMS, now everything is much simpler. Modern attacks are based entirely on social engineering. Attackers convince users to transfer data via fake websites or QR codes. This makes attacks massive and effective.
Moreover, in the fall of 2024, an advertisement for account hacking services appeared in Telegram. The customer was offered to receive a full archive of the victim's correspondence for 100-150 thousand rubles. Hackers claimed that they could even bypass two-factor authentication. In 2023, the same services were offered for $17,000 (approximately 1.5 million rubles), but then the hacking required more time and complex technical manipulations.
Telegram is under attack by scammers again. Cybercriminals have developed a new scheme for hijacking accounts, disguising themselves as the messenger's security service. They send messages on behalf of a user with the nickname "Security" and a Telegram avatar, convincing them to follow a link to protect their data. However, in reality, the victim is redirected to a fake site with a QR code, which gives the attackers full access to the account.
How the scheme works
The user receives a message from the fake account "Security".
The text contains a link leading to a phishing site stylized as Telegram.
This site offers to log in to the account by scanning a QR code.
If the user follows the instructions, the scammers get the opportunity to log in to their account and take control.
Thus, hackers gain access to all correspondence, and if the victim's account is linked to channels or groups, they can take over those as well.
Is this something new?
No. Similar attacks have been recorded before. In 2023, scammers sent messages allegedly from Telegram support warning about a request to delete an account. To cancel the deletion, they were asked to follow a link and enter a phone number with a confirmation code. This way, the criminals gained full control over the account.
Even earlier, in 2019, Group-IB researchers reported multiple cases of hacking Telegram accounts. Back then, the criminals did not use phishing sites, but intercepted SMS login codes through vulnerabilities in mobile networks. Users who did not use a cloud password and relied only on SMS to log in were especially vulnerable.
A new level of threats
If earlier scammers had to hack telecom operators or intercept SMS, now everything is much simpler. Modern attacks are based entirely on social engineering. Attackers convince users to transfer data via fake websites or QR codes. This makes attacks massive and effective.
Moreover, in the fall of 2024, an advertisement for account hacking services appeared in Telegram. The customer was offered to receive a full archive of the victim's correspondence for 100-150 thousand rubles. Hackers claimed that they could even bypass two-factor authentication. In 2023, the same services were offered for $17,000 (approximately 1.5 million rubles), but then the hacking required more time and complex technical manipulations.
