Kaspersky warned of a massive account theft scheme using built-in Telegram apps.
Kaspersky Lab experts have warned of a new mass account hijacking scheme for Telegram, which relies on the messenger's built-in web apps and social engineering. According to the experts, they noticed a surge in these attacks late last week: users began receiving messages urging them to enter a "verification" code directly in the built-in Telegram app.
The scenario seems plausible and is designed for large group chats where the participants don't know each other personally. One of the participants (or an already compromised account) writes that the chat is supposedly being moved due to loss of access to the administrator's account and prompts the victim to click a link with text like "Go to the newly created chat." Clicking it opens a window in the built-in Telegram app, asking for a five-digit code. In reality, this is the code used to add a new device to the account. If the victim enters these numbers, the attackers gain access to their account and begin sending out the same "cover story" under the hacked user's name, infecting other chats in the process.
However, the takeover isn't instantaneous in any sense. Initially, attackers gain access to the account to continue spreading the scheme, but they aren't always able to immediately read all the messages and block the owner's devices. However, after some time, they gain the ability to expand control, including "kicking" the user out of the account.
A particular risk is that this isn't a typical phishing scam with a fake website. The malicious scenario resides within the Telegram ecosystem: the user clicks a Telegram link and sees the familiar interface of the built-in app. The psychology behind it is simple: news of hacked accounts and chats have long been commonplace, so the request to "immediately recreate the chat" seems plausible to many, especially in the noisy information flow.
Kaspersky Lab reminds that accounts on popular messaging apps remain a lucrative target. They are used for both simple requests to "loan money" to contacts on behalf of the victim and for more complex scenarios, including conversation analysis and attempts to monetize access. In the business environment, the risks are even higher: compromising work chats can lead, for example, to the substitution of payment details.
If the user has already clicked the link and entered the code, there's still a chance to regain control, but you need to act quickly. Our recommendation: open Telegram and go to "Settings" -> "Privacy" -> "Active Sessions," then click "End all other sessions." This may terminate access for the device the attackers have connected, if they haven't yet managed to gain a foothold and change the security settings.
Kaspersky Lab experts have warned of a new mass account hijacking scheme for Telegram, which relies on the messenger's built-in web apps and social engineering. According to the experts, they noticed a surge in these attacks late last week: users began receiving messages urging them to enter a "verification" code directly in the built-in Telegram app.
The scenario seems plausible and is designed for large group chats where the participants don't know each other personally. One of the participants (or an already compromised account) writes that the chat is supposedly being moved due to loss of access to the administrator's account and prompts the victim to click a link with text like "Go to the newly created chat." Clicking it opens a window in the built-in Telegram app, asking for a five-digit code. In reality, this is the code used to add a new device to the account. If the victim enters these numbers, the attackers gain access to their account and begin sending out the same "cover story" under the hacked user's name, infecting other chats in the process.
However, the takeover isn't instantaneous in any sense. Initially, attackers gain access to the account to continue spreading the scheme, but they aren't always able to immediately read all the messages and block the owner's devices. However, after some time, they gain the ability to expand control, including "kicking" the user out of the account.
A particular risk is that this isn't a typical phishing scam with a fake website. The malicious scenario resides within the Telegram ecosystem: the user clicks a Telegram link and sees the familiar interface of the built-in app. The psychology behind it is simple: news of hacked accounts and chats have long been commonplace, so the request to "immediately recreate the chat" seems plausible to many, especially in the noisy information flow.
Kaspersky Lab reminds that accounts on popular messaging apps remain a lucrative target. They are used for both simple requests to "loan money" to contacts on behalf of the victim and for more complex scenarios, including conversation analysis and attempts to monetize access. In the business environment, the risks are even higher: compromising work chats can lead, for example, to the substitution of payment details.
If the user has already clicked the link and entered the code, there's still a chance to regain control, but you need to act quickly. Our recommendation: open Telegram and go to "Settings" -> "Privacy" -> "Active Sessions," then click "End all other sessions." This may terminate access for the device the attackers have connected, if they haven't yet managed to gain a foothold and change the security settings.
