Telegram accounts are being hijacked again through messages from the user "Security". Here's what you need to know.
What does the threat look like now?
Users receive a message from a user with the nickname "Security" and the messenger icon as the avatar. It contains a link that supposedly needs to be followed to enhance data protection. When clicked, a phishing resource opens for Telegram authentication using a QR code. If the victim goes through this process, the scammers gain access to the account. A screenshot of the initial message is attached to the post.
Is this scheme new?
Similar attempts to hijack accounts were reported a year ago. In 2019, a detailed analysis of crimes involving message interception was done - the similarity with the recent case is that messages back then also appeared to come from a service and verified Telegram channel.
Also, in the fall of 2024, an advertisement for a service to hack accounts on demand appeared on Telegram. The hackers claimed to bypass two-factor authentication. For 100β150 thousand rubles and 5β15 days, the customer was promised a dump of conversations and all attachments of the victim + a zip archive with the Telegram session in Tdata format, allowing parallel access to the account.
F.A.C.C.T. Threat Intelligence analysts found that the same services offering full message and content extraction were also available in 2023 (but cost $17,000 - over 1.5 million rubles). Only the phone number and avatar were required from the customer.
How to protect yourself?
All of these schemes are based on social engineering, and the success of cybercriminals depends on the awareness and consciousness of the user. It is recommended to set a cloud password, not to disclose one-time security codes to anyone, and always verify suspicious websites through whois services.