Experts Discover Network of Malicious Image Sites Stealing Telegram Accounts

By Ava McKinneyOnline Safety

Experts Uncover Network of Malicious Image Sites Targeting Telegram Accounts

Specialists from the Solar AURA external digital threat monitoring center at Solar Group have discovered a large network of over 300 websites featuring images and memes, created specifically to steal Telegram accounts. These images could easily appear in search engine results, and clicking on them could lead to account theft.

According to researchers, the network emerged in December 2023 and consists of similar websites hosting hundreds of thousands of images and their descriptions. The images are grouped by themes, with sites dedicated to anime, fan fiction, memes, Korean dramas, pornography, and even pizza.

How the Scam Works

The scammers pay significant attention to search engine optimization, making it highly likely for users to encounter these malicious sites, especially when searching for images. If a user clicks on a link or image to view the original source, they are redirected to a phishing site that mimics a Telegram channel page. Most of these phishing sites use the name โ€œYouโ€™ll Like It.โ€

If the victim tries to join the community, they are taken to a page with a QR code or a login form for Telegram. Entering Telegram login credentials on the fake site sends this information directly to the attackers.

Two-Factor Authentication Is Not Enough

Even two-factor authentication (2FA) does not protect against account hijacking in this scheme. If a user enters the 2FA code received from Telegram on the phishing site, the attackers gain access to the account on their own device and can terminate the real ownerโ€™s session.

Unique Features of the Scam

Experts note that an interesting aspect of this scheme is that the scammers use domains unrelated to the images, to each other, or to Telegram itself. Additionally, the phishing sites employ various methods to hide their malicious content. For example, they automatically check where the link click originated. If the user did not come from a search engine, the site simply displays the image the user was looking for, making it harder to block these resources. If someone tries to report the site and shares the link, the malicious content will not appear.

After completing their investigation, the researchers submitted all discovered fake resources for blocking.

โ€œIn 2023, scammers used fairly primitive social engineering methods to lure users to phishing sites to steal Telegram accounts, such as asking them to vote for a childโ€™s drawing, sign a petition, receive social benefits, or get free access to a Premium account. The new scheme targets any user who wants to download an image from the internet, which means it covers a significant portion of the Russian-speaking internet. This is currently the largest and most sophisticated campaign aimed at hacking Telegram accounts. We urge everyone to be extremely cautious and check every link before clicking,โ€ commented Alexander Vurasko, head of the Solar AURA external digital threat monitoring service at Solar Group.

Leave a Reply