Advertising, phishing and capitalization
On the popular Telegram channel about Dress Up fashion, in mid-July, a message appeared on the part of the manager, in which it was proposed to “raise the capital”. As it turns out, the channel stopped a scammer who introduces himself as an advertising person.
According to Ekaterina Lemekh, author of Dressed to Kill, before purchasing the ad, the attacker asked her to provide channel statistics using the Telemetry-plus tool, to which she sent a link. At the same time, the site did not arouse any suspicions in the girl, because everything looked the same with similar sources that provided statistical data. When the girl decided to go to Telegram, a registration window popped up, as if she had never been registered there.
He then contacted a scammer girl and extorted the money and said she would “rape her viewer” until the owner of the channel paid. In a conversation with socialbites.ca, Lemekh explained that as soon as the attackers gained access to his page, they transferred control of the channel to another account with the old pseudonym, and his page was deleted.
“Therefore, subscribers did not notice the change, because the nickname “administrator” and the photo remained the same,” emphasizes Lemekh.
It turns out that the scammers posted on Dressed to Kill are “warming up” for a post that will help channel subscribers increase their capital 8-12 times. For such a service, the fake manager asked for 15% of the net profit.
“They sent a link to the bot in private messages to subscribers. These are a kind of “bet” on the increase or decrease in the rate of cryptocurrencies. Starting capital of 15 thousand rubles. And higher. You deposit money and supposedly keep playing and then withdraw. But according to this, no money is growing and withdrawing, which scammers say “write to support the bot,” Lemekh said.
The bot was disguised as Quotex, a platform for trading digital assets.
According to him, about ten subscribers of Killing to Kill became victims of scammers, “donating” 15 thousand rubles. One of the subscribers transferred 130 thousand rubles to the attackers.
Together, Lemekh and his subscribers were able to regain access to the channel. However, due to complaints, it now has a “Scam” badge hanging on it. Such a message is given by the Telegram administration to dubious channels that have received a large number of fraud complaints.
“Mail and telegram support is not responding at all. Volunteers respond in the messenger itself, there is no mention of any official representatives. My request hung unanswered for five days and they only responded to me because I found a girl dealing with account recovery and she had access to them. Now the same girl unmarks, ”says Lemekh.
Channel Play Mechanics
In an interview with socialbites.ca, Pavel Kovalenko, director of the Informzaschita anti-fraud center, described the Dressed to Kill case as a classic example of phishing, in which a fake page is created and the victim is forced to enter their data. fake through social engineering.
“I must say that now account theft and phishing through Telegram are becoming more frequent: there are many channels, users visit them often, so the number of their “persons” who are potential victims of scammers is much higher than through mail and social networks, ”the expert noted.
Experts from the Incident Response Center CERT-GIB (24/7) of the Group-IB company, in an interview with socialbites.ca, suspect that the Telemetry-plus resource sent by scammers under the guise of a tool to provide Telegram channel statistics.
“Several points are alarming at once: the source was recorded on July 3. The domain name itself, the region and the content are very similar to the telemetri.me website and even some images are downloaded from there. This is how phishing sites often “behave”, experts noted.
Also, when trying to load statistics about the channel, the owner is asked to fill out a fairly simple form: enter a link to the channel. After that, a warning is given that the channel is not in the database and must be added there.
“It is worth noting that this form accepts all entered data – no validation checks. They are then asked to pass authorization by connecting the channel from the owner’s account so that the so-called bot can read the channel’s statistics. Redirected to hXXps://authorization-reg[.]com/oauth/telegram that was registered 10 days ago and currently has no phishing content in the source. However, if you look at the saved copy of this resource, the homepage previously had a so-called “landing page” to connect customers to an affiliate program for ad distribution. Trying to go further, it was probably switched over the aforementioned link used for “authorization” via Telegram,” the experts said.
In an interview with socialbites.ca, Vladimir Zykov, Director of the Association of Professional Users of Social Networks and Messengers (APPSIM), expressed confidence that Dress to Kill is not the only one. According to the expert, there are many different scam schemes, thanks to the attackers hijacking someone else’s Telegram account and channel.
“For example, now it’s the holiday season and the owner of the channel is on the plane, an attacker can make a copy of the SIM card, log into Telegram, re-register the channel for himself and delete the owner. In addition, personal information, including confidential photos in correspondence, may be at risk here. The original SIM card is disabled, but the person on the plane will not immediately notice this, and also after landing it will be difficult to restore it when abroad, for this you will have to come to the operator’s office, ”Zykov said.
The expert warned that attackers could use a scheme to place a free Wi-Fi network in a public place and require authorization by number to connect. However, when registering, the user also risks handing over his username and password to attackers.
“There are many features of how it can be used. Phishing is phishing, and scammers are constantly finding ingenious ways to get a username and password, ”says Zykov.
How to register your Telegram account
Dmitry Galov, a cybersecurity expert at Kaspersky Lab, said in an interview with socialbites.ca that the attackers’ motives for hacking and stealing Telegram channels could be different, including blackmailing them with an additional ransom to restore access to the account.
“An account can be stolen using social engineering techniques, phishing, or remote device access malware. However, these are not the only possible scenarios. In this regard, we invite users and account holders on Telegram to comply with certain security rules. “Two-factor authentication must be enabled first: If an attacker tries to gain control over the account, the verification code will not be enough, he will also need a password.”
Galov also recommends that users pay attention to the “Active Sessions” section to see which devices the account is active on. If an unknown or suspicious device is displayed, you must end this session and change the password if set.
In addition, you should not follow suspicious links in messages, enter your personal or identity information on suspicious pages, even if they are written with an offer of cooperation. Also, at the slightest doubt, you should install a security solution on devices where this is possible and scan incoming files or archives for threats.