A surge in account theft targeting users on Telegram and WhatsApp has emerged, according to researchers coordinating phishing protection efforts. The report is based on findings from the CERT-FACCT team, which monitors information security incidents and analyzes spear-phishing campaigns. Researchers noted a spike in registered domain names intended to hijack Telegram accounts during the early days of December. They also observed phishing pages and forms aimed at accessing WhatsApp accounts, signaling a broadening trend beyond a single platform [CERT-FACCT].
Analysts described active phishing sites that push false claims about voting contests and prompt users to authorize access through deceptive Telegram forms. When users submit their credentials, they risk losing control of their messenger accounts. CERT-FACCT representatives counted twenty such sources in operation, illustrating a coordinated effort to harvest sensitive login data through convincing but illegitimate portals [CERT-FACCT].
The researchers noted a shift in tactic compared with earlier waves. While attackers previously exploited topics related to children’s competitions, the current campaigns lean on themes tied to family life, workplace scenarios, and professional skills to increase the likelihood of engagement. This adjustment underscores how threat actors adapt to user interests and trust cues in order to bypass common security controls [CERT-FACCT].
To widen reach, malicious operators continue to create Telegram channels that link to phishing resources. When channel settings permit, they may even add potential victims directly to these channels. They frequently seed messages with ordinary greetings like “Good day!” or “Good morning!” to normalize the channel and lower the guard of participants. In many posts, the author—often a stolen Telegram account—appeals for votes with phrases such as “One minute of your time will bring me closer to victory.” In discussions, a typical comment like “I voted, it’s not hard for me” can appear to be an ordinary user reply, further prompting others to engage and potentially reveal credentials on compromised devices [CERT-FACCT].
The researchers reported that the WhatsApp phishing campaigns continue to exploit creative themes around children’s activities. They also noted distribution of malicious links through messages routed from compromised social media accounts, including those on popular networks like VKontakte. The analysis emphasizes that users who enable all security features in instant messengers, including two-factor authentication and one-time passwords or virtual passwords, and who practice good digital hygiene, are far less likely to fall prey to these schemes [CERT-FACCT].
In closing, observers remind users that digital safety is a shared responsibility. The ongoing surge in phishing resources built to steal instant-messaging accounts demonstrates the importance of vigilance, robust authentication, and cautious handling of unsolicited requests for login or verification information. The broader cyber threat landscape continues to evolve, with attackers adapting their narratives to appear trustworthy and timely. Consumers are urged to verify the legitimacy of any prompt asking for credentials, rely on official security channels, and report suspicious activity to their platform’s security team [CERT-FACCT].