Original article: "Beosin Security Prevention Series | Endless "new tricks", how to be vigilant against Telegram scams? "
Recently, there have been frequent hacking incidents involving the cross-platform instant messaging software Telegram. Criminals have stolen users' Telegram accounts through illegal means and committed fraud by impersonating their friends.
In response to recent hacking and fraud incidents, Beosin Security Research Department has sorted out common Telegram fraud methods and taught everyone how to be vigilant and prevent them.
1. Fraud Methods
?Screenshot of TG verification code
Recently, a relatively new type of fraud and hacking is that the fraudster pretends to be a friend and uses various reasons to obtain screenshots of the chat page. It seems harmless, but at this moment the fraudster is trying to use your mobile phone number to log in to Telegram. When the screenshot page sent contains the login verification code sent by the official, the fraudster will use it to successfully log in to your TG account. The detailed fraud process is as follows:
1. First, get the phone number of your TG account.
If the privacy setting of your TG account is visible to anyone, your mobile phone number will be seen by strangers; or the scammers may first obtain your friend's account and then query your mobile phone number.
2. Obtain the login verification code by fraud.
The scammer tells you that there is a problem with your account for various reasons and takes screenshots of your chats. At the same time, the scammer enters your mobile phone number on a new device and tries to log in.
For example, the following two types of speech:
There are two identical contacts in the chat interface: When encrypted chat is enabled for a contact, two identical contacts will appear in the chat list. As shown in the figure below, the encrypted chat communication will have a lock in front of the name.
Friends help to unblock the account: The scammers claim that the account has been restricted by the authorities and need friends to send verification codes to help unblock the account.
3. Log in to your account and continue the fraud.
When you inadvertently send a screenshot of the chat containing the login verification code to the other party, if the account does not have two-step verification enabled, the scammer can log in to your account directly through the verification code. The scammer will then delete all devices, change the password, and continue to scam other people in the address book.
?Fraudulent SMS messages pretending to be official
The fraudulent text message pretends to be the official account of Telegram, claiming that the user's TG account has violated the account usage rules and will be restricted, and needs to log in to the website to remove the restriction. If the user accidentally clicks on the link, the account will be stolen.
?Third-party programs with backdoors
Since Telegram does not have a Chinese installation package, ordinary users usually use third-party search engines to find the corresponding Chinese installation programs. Therefore, scammers use SEO optimization to attract traffic to their own Telegram Chinese version download website and induce users to download top-ranked applications.
When a user downloads and uses a TG program with a backdoor, the blockchain address in the chat will be automatically detected. When the wallet address in the user's chat message is detected, the wallet address will be replaced with the scammer's own address, causing financial losses to the user.
In the following case, the user downloads a Chinese version of the client from the link http://www.telegram-china.org (currently invalid), and then sends a TRX wallet address through this Chinese version:
Beosin test results
At this time, the wallet address sent is: TNpEa9PoqWsoPcTdTqUUdrYJbqhVLoSVFh
Then close the software and reopen it to find that the wallet address has been replaced with another address.
Beosin test results
Malicious Telegram Chinese language pack
Some time ago, a TG Chinese channel (https://t.me/zh_CN_Telegram_zh_CN_CN_zh_ch_zn) was exposed as a fake channel. The real simplified Chinese language package maintenance channel is https://t.me/zh_CN. Due to lack of staff support, the translation work has been stopped. When the fake channel was exposed, it had nearly 800,000 followers, and the language package it spread was an installation file with a backdoor.
Security personnel analyzed that the language pack file is a downloader, which will download various modules after running and try to bypass the detection of security software. In addition, the sample uses methods such as detecting mouse movement to bypass sandbox analysis.
Telegram bot steals passwords
Foreign security researchers have discovered that criminal organizations use Telegram robots to steal user OTP tokens and SMS verification codes to complete 2FA (two-factor authentication). Attackers use Telegram robots to obtain account information, including calling victims, impersonating banks and legitimate services, etc. Through social engineering, attackers also trick people into providing them with OTP or other verification codes through their mobile devices, and then scammers use these codes to defraud funds, passwords, session cookies, login credentials and credit card details in user accounts.
?“Cryptocurrency investment” scam
Scammers impersonate cryptocurrency experts on Telegram and promote promises of returns on cryptocurrency investments. Scammers will contact you through Twitter comments or directly on Telegram, claiming to be able to provide you with a high return on investment.
If you participate, the scammers will ask you to open an account on their special cryptocurrency exchange. At that point, they will show you graphs that show your investment is increasing, but when you try to withdraw your earnings, the scammers and your account will disappear.
Beosin safety advice
We have put forward the following suggestions for safe use of Telegram to avoid theft and financial loss.
?Turn on two-step verification
For account security, please set up a two-step verification password in time. This password will only be required when you log in to Telegram for the first time.
Open Setting > Privacy and Security > Two-step Verification to set it up. It is recommended to set up a security email in the subsequent steps so that you can reset your password through the security email if you forget your two-step verification password.
?Use third-party clients with caution
Check your software download path. If you downloaded the installation package through web search, it is recommended to uninstall it directly and then reinstall it from the official website. Third-party clients have the ability to obtain and control your account, read all your chat records, and collect identifiable information from your device. For security reasons, be sure to download and use the software through the Telegram official website.
?Don’t send sensitive personal information to Telegram bots
Use Telegram bot services with caution and do not disclose personal data, including name, username, mobile number, email address, password data or any information that can be used to identify you.
?Be wary of private messages from strangers
Do not trust private messages from strangers easily. Be vigilant to avoid financial losses or information theft. If you are disturbed, you can choose to block them. Do not click on unfamiliar files or links you receive.
?Transfer address verification
Send the wallet address and communicate with the other party multiple times for verification; send the wallet address to the other party in the form of a screenshot of the wallet QR code, and the other party will identify the wallet address by scanning the code.
?Regularly check Telegram login devices
Check the device IP login status regularly and force the device IP with abnormal login to go offline.
?Cancel sharing of mobile phone number when adding a contact
Telegram only has Contact, not "Friends". Adding and deleting contacts is a one-way operation, that is, when you add or delete a contact, it will not cause you to be added or deleted from the other party's contact list. Therefore, when adding a contact, please uncheck Share My Phone Number, which will be checked by default.
?Hide mobile phone number and group joining restrictions, etc.
In Settings -> Privacy and Security, choose to hide your mobile phone number, online status, profile picture, forwarded messages, etc.; set your account not to be added to unfamiliar groups by non-friends to reduce the possibility of being deceived; do not use the Nearby People function of Telegram.
Beosin launches security verification function on its official website
At the same time, in order to prevent "impersonation" fraud on platforms such as Telegram and Twitter, Beosin's official website has now launched a security verification function.
Customers can enter the business card information of the Beosin employee who is in contact with you, and if it is verified, it is safe.
On the contrary, if it fails, you may have encountered a scammer pretending to be a Beosin employee, so everyone should be more cautious.
Okay, that’s the end of today’s safety sharing. See you next time.
