Security Experts Uncover Network of Malicious Websites Using Images to Steal Telegram Accounts

The specialists of the external digital threat monitoring center Solar AURA from Solar Group have discovered a large network consisting of over 300 sites with images and memes created for stealing Telegram accounts. A user could easily come across an image from one of these sites in search results, and clicking on it could result in an account loss.

According to the researchers, the network emerged in December 2023 and comprises sites with hundreds of thousands of images and descriptions grouped by themes like anime, fan fiction, memes, Korean dramas, pornography, and even pizza.

It is noted that scammers pay significant attention to search engine optimization. Therefore, the chances of encountering one of these malicious sites are high, especially if the search is performed directly using images.

If a user clicks on a link or image to view the source, instead of the site with the image, they will be redirected to a phishing resource imitating a Telegram channel page. Most of these phishing sites bear the name “You Will Like It.”

If the victim tries to join the community, they will be directed to a page with a QR code or a form to log into Telegram. If the user enters their Telegram account login information on the fake site, it will be automatically transmitted to the fraudsters.

Interestingly, even two-factor authentication (2FA) cannot protect against account hijacking if the user enters the received 2FA code on the phishing site. In such a case, the scammers gain access to the user’s profile on their device and can terminate the session of the actual account owner.

Experts point out that a notable feature of this scheme is that scammers use domains unrelated thematically to the distributed images, each other, or the messenger itself.

Additionally, phishing sites created for Telegram account hijacking utilize various methods to conceal malicious content. For example, they automatically check the source of the link click. If the user does not come from a search engine page, instead of the phishing site, the user sees the image they searched for. This tactic makes it difficult to block their resources: if a user tries to report such a site by sharing a link, the malicious content simply won’t open.

Following the investigation, all identified fake resources have been reported for blocking.

“In 2023, scammers aimed to steal Telegram accounts by directing users to phishing sites through fairly primitive methods of social engineering, such as suggesting in newsletters to vote for a child’s drawing, sign a petition, receive social benefits, or get free access to a premium account. The new scheme targets any user who wants to download an image from the internet, covering a significant portion of the Russian-speaking audience. This is currently the most extensive and sophisticated campaign aimed at hacking Telegram accounts. We urge everyone to be extremely cautious and verify every link a user clicks on,” commented Alexander Vurasko, head of the Solar AURA external digital threat monitoring service at Solar Group.

0 / 5

Your page rank:


Subscribe: YouTube page opens in new windowLinkedin page opens in new windowTelegram page opens in new window

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment