Help a friend scam on Telegram Tue Jul 04 2023 A scam is going around on telegram affecting my friends and their friends. How to recover your telegram account from a phishing scam, and how they do it. -------------------------------------------------------------------------------- Help a friend scam on Telegram ============================== Published Jul 4, 2023 - 16 min read /---------------- Table of contents ---------------\ | Table of contents | | * What if you are impacted? | | * How they phish you | | * What can you do if your friend is compromised? | | * Advice for Telegram | | * Last words | | * More information! | \--------------------------------------------------/ A new scam is going around on Telegram! One that preys on your friends and then you. It is in fact, a worm [L1]. An automated attack that takes over your account with the objective to spread and take over more accounts. [I1: Video: My account was stolen! What should I do? Contact support.] What if you are impacted? ------------------------- To get someone to help, you need to be an extremely clear and consise communicator. Stick to the bare essentials, give enough evidence for them to act and help you. Here's what you need to do: * Send an email to recover@telegram.org * Also prepare the same message to go into Telegram Support [L2]. * From an email from a common service like gmail or outlook * Clearly identify the following: 1. Your phone number 2. Your username 3. The date and time you lost access, including a time zone like "US Central" 4. What app you normally use 5. Your IP address, which you can find on What is my IP address [L3]. * Patiently and respectfully state that you have lost your account to phishing scam. * Then mention a friend, who was compromised, messaged you to help them. It involved a bot. That bot showed a button saying: "Help a friend to unblock". * Continue to state that the bot had the name "Telegram" and used the telegram logo. This bot was impersonating Telegram to you. * Lastly, state that clicking the button opened a window with a telegram form asking for a phone number. * Because this form opened up in the telegram app, had a telegram logo, had a bot named "Telegram", you were convinced it was really Telegram. You fell for the phishing scam. * Ask for your account to be restored to you, your original phone number, and to prevent bots like this in the future. * If you have a two-step password, do not state your two-step password to them. This is something only the Telegram app on your phone or desktop should receive in its normal log-in flow and periodic "Are you sure you remember?" prompts. /-----------------------------[cendyne: let-me-in]-----------------------------\ \------------------------------------------------------------------------------/ I had my account disabled at one point, in fact, while I was out camping! While I did not fall victim to a phishing scam, I was banned because I first used a Voice-over-IP number, one I owned for 10 years. Unfortunately, most bot accounts, scammers, and so on use voice-over-ip numbers. /------------------------------------------------------------------------------\ | @cendyne@cendyne.dev @CendyneNaga@twitter.com | |------------------------------------------------------------------------------| | My telegram is back! | | [L4] 7/10/2021 | \------------------------------------------------------------------------------/ Following the above, hopefully you will get your account back within a week. How they phish you ------------------ Your friend's account got taken over. They message you asking for help. They might even ask for you to pay for premium to get them unlocked. As an alternative, they say you can help by using an official telegram bot. [I2: A chat history where the threat actor is posing as a friend, on a friend's account, saying they need help and to contact this bot. They assert it is an official telegram bot, though it starts with a few odd letters. Then they share a picture of which button to press.] They send you a bot account that looks like @XYZ_TelegramBot. [I3: The bot responds with buttons like help a friend unblock, receive membership for free, apply to protect my account, detect account abnormality] It has the buttons: * Help a friend unblock * Receive membership for free * Apply to protect my account * Detect account abnormality All buttons do the same thing. It does not matter which button you click. They all open the same in-app web view. [I4: A modal notice that shows the telegram logo, the name telegram, and the text 'To launch this web app, you will connect to its website.'] Everything here sets up the victim to believe the threat actor is legitimate. There is no identification that this is not an official telegram bot. The Telegram brand is impersonated on Telegram's own platform, and Telegram's own words set expectations for the victim that they will interact with a web view, an out of bounds experience. Upon accepting the disclaimer that your IP address may be revealed, the web app opens and shows a familiar login screen. Effective threat actors clone and copy what is familiar. The less surprising the phishing scam is, the easier you will fall victim to it. [I5: A login screen, which reads Telegram in Telegram's web app label. Inside the web app, again Telegram shows up and asks for country and phone number to begin the login process.] Compare this scam to the legitimate web.telegram.org web client: [I6: Telegram web login screen which shows a country and phone number entry] There are differences. Are there enough that you, while tired, stressed, wanting to help a friend, would notice them and back out? The login flow continues. You will be tricked in relaying a one time pass code. /-----------------------------------------------------------[cordite: surprise]\ | What if I use a two-factor password? | \------------------------------------------------------------------------------/ [I7: Privacy and security screen with two step verification highlighted] /[cendyne: crying-intensely]---------------------------------------------------\ | It is actually called "Two-Step verification", and, I believe it will be | | ineffective at protecting your account in this circumstance. | \------------------------------------------------------------------------------/ Two-Step verification helps you keep your account when your phone number is taken from you. In this case, the threat actor can simply ask you for your password next. /-------------------------[cendyne: let-me-out-window]-------------------------\ \------------------------------------------------------------------------------/ Next, the threat actor disconnects all other sessions from your account. You are then locked out! You are closed off and unable to see or message your friends! [I8: A screenshot that reads 'Do you want to terminate this session?'] Then, they change your phone number or your two-step password. Yes, they can do that, and so can you. Then the account is put into a queue for a human, likely one who receives pennies for participating in this crime, to contact your friends and capture their accounts too. /------------------------------------------------------[cordite: comprehending]\ | Did you not say this was a computer virus "worm", snake? How is a human | | involved here? | \------------------------------------------------------------------------------/ /[cendyne: snake-in-soda-box]--------------------------------------------------\ | It might actually have ChatGPT or some other large language model involved. | | However, the screenshots I have seen suggest that a human is responsible for | | bullsh*tting as a friend for the first few messages. They pretend to be your | | friend long enough to hook you and hand you off to a pre-prepared script. | \------------------------------------------------------------------------------/ /[cendyne: noodle-on-a-string]-------------------------------------------------\ | Anyway, it sure is spreading like a worm. | \------------------------------------------------------------------------------/ What can you do if your friend is compromised? ---------------------------------------------- Mute and Archive their chat. Contact them through other known means. Share this article with them so they can recover their account too! If they sent you a bot account like @XYZ_TelegramBot, open the bot profile. You do not need to hit /start, though if you do, no harm has been done. 1. Click or tap on Report. 2. Click or tap on Fake Account. 3. Enter a message like: > This account is scamming user accounts. It is pretending to be an > official Telegram account. Please search for and remove accounts with > TelegramBot in their username. 4. Submit. [I9: A view where a report message is entered, the description is mentioned above.] If you've done your part, guess what? Telegram actually will ban the account! [I10: Telegram has now banned the account screenshotted in this article] You too can combat this problem and help prevent your friends from being phished. /[cendyne: glamorous]----------------------------------------------------------\ | I took down one account. There are plenty more. | \------------------------------------------------------------------------------/ Please share this article to your friends. After all. Scammers do not need to read your roleplays. Wink wink. Advice for Telegram ------------------- Not that I expect them to even read my article... Here are my recommendations for any platform with public integrations to protect their users. Google has protections like these in place. Telegram needs to step up if they want to be the WeChat of the western world. * Revoke all bot accounts ending in "TelegramBot". * Investigate and remove accounts that have created bots created with such user names. * Further investigate if the accounts that have created those bots were themselves compromised before creating such bot accounts. * Prevent registration of all bot accounts that contain "Telegram". * Employ some form of image recognition to prevent the use of the Telegram logo on bot account profiles. * Add extra scrutiny to in-app web features. * Adjust the message presented to the user that they are exiting Telegram and that the application and views do not represent Telegram. * Reconsider the comingled experience of official telegram bots, support accounts, and so on, from user contributed bots and user accounts. * Consider other security, two factor, or account recovery mechanisms and their security risks and mitigations. * Improve education on verification labels for official bots. Last words ---------- For those affected, I am truly sorry you are going through this. Please try out the recovery method mentioned above and share this elsewhere. You may lose access to your chat histories. You may have some personal information in your private saved messages stolen. I highly recommend you change passwords elsewhere, just in case you ever pasted it into telegram to copy between devices. May the naga be with you. /----------------------------[cendyne: laptop-tail]----------------------------\ \------------------------------------------------------------------------------/ More information! ----------------- Update - July 9th, 2023 Unfoxo tried this out with a sacrificial account. Here's what he recorded: Upon entering your phone number, it will present an emoji and "Enter Captcha" [I11: A fake telegram one time password prompt saying enter captcha with a monkey emoji] You will then get a message from telegram with your one time passcode. [I12: An official telegram message that gives you a login passcode. It says never to give it to anyone, even if they say they are telegram.] Next, you will see a message from telegram saying there is a new login. It will come from your IP address, it will come from your device type, and it uses "Telegram WebK", which is a real client. [I13: A new login! From WebK, and so on. The rest of the message is in Italian.] A few seconds later, while you are reviewing an odd message, Telegram will send another one time passcode! Except in the background, it sends this passcode to the threat actor to get into your account! [I14: An odd message that is completely unrelated with the context in how you got to thisscreen. It talks about keeping things attached for 48 hours.] The next thing you know, someone connects into your account from Hong Kong, of all places. [I15: A WebK session exists in Hong Kong] Sometimes, Telegram will block these attempts. [I16: Telegram Blocked a suspicious connection from Hong Kong] What's interesting here is that the official Telegram bots all have twitter style verified labels next to them. [I17: Official twitter bot has a verified check mark in a stamp] Meanwhile, their own do not have such labels. [I18: Instructions from the threat actor to get the login one time pass code.] -------------------------------------------------------------------------------- I have also heard, from one unfortunate soul, that their phone number has stayed the same, but every time they connect they are automatically booted out of their account. From this information, I suppose that the threats do not have numbers to switch the accounts to and are automating account retention. -------------------------------------------------------------------------------- [L1]: https://en.wikipedia.org/wiki/Computer_worm [L2]: https://telegram.org/support [L3]: https://whatismyipaddress.com/ [L4]: https://twitter.com/CendyneNaga/status/1413692730316890113 [I1]: https://c.cdyn.dev/a3eExxLz [I2]: https://c.cdyn.dev/dAasbBDL [I3]: https://c.cdyn.dev/Fwx3Cg32 [I4]: https://c.cdyn.dev/lNiRiswM [I5]: https://c.cdyn.dev/O3c1vy4V [I6]: https://c.cdyn.dev/n4XZMP0p [I7]: https://c.cdyn.dev/1WvwrC9S [I8]: https://c.cdyn.dev/2eIt1sLf [I9]: https://c.cdyn.dev/SHas-qxa [I10]: https://c.cdyn.dev/Bvf5nxZg [I11]: https://c.cdyn.dev/47kMcwbZ [I12]: https://c.cdyn.dev/9BF5gVqg [I13]: https://c.cdyn.dev/CDkq-CBK [I14]: https://c.cdyn.dev/hUUs5z-q [I15]: https://c.cdyn.dev/e2-WB_pm [I16]: https://c.cdyn.dev/1AD4QhWZ [I17]: https://c.cdyn.dev/wgYdG-uP [I18]: https://c.cdyn.dev/VsZMnx0F