Phishing Campaign Exploits Telegram’s Official Login

A new and sophisticated phishing campaign is targeting Telegram users globally. The campaign operates by leveraging Telegram’s official login procedures, which makes it challenging to detect fraudulent activities early.

How the Phishing Campaign Works

According to analysts from CYFIRMA, attackers exploit Telegram’s infrastructure without hacking it. They register their own API keys, which they then use to initiate login attempts on user accounts.

Attack Scenarios

• QR Code Authorization: Users are prompted to scan a QR code that appears legitimate. Once scanned, a new session is established on the mobile app, giving attackers access.
• Manual Entry: Victims are asked to enter their phone number, a one-time code, or two-factor authentication data. These details are sent through official Telegram APIs to finalize the login process.

Key Elements of the Attack

A critical part of this phishing strategy is the login confirmation step. Telegram sends a system notification whenever there is an attempt to log in from a new device. However, attackers disguise this notification as part of a “mandatory security check.”

This deceptive tactic encourages users to confirm the login, inadvertently granting attackers access to their accounts.

Scaling and Implications

The campaign is modular and features a centralized backend. Attackers can quickly change domains while maintaining the same attack structure, complicating efforts to shut it down.

Once they gain entry to an account, attackers typically exploit the trust between users. They send phishing emails to the victim’s contacts, further facilitating the spread of the attack.

Conclusion

Users must remain vigilant against such threats. Recognizing the signs of phishing and being cautious with sensitive information can help protect accounts from these sophisticated scams.