Just like social media accounts, Telegram accounts are hijacking targets — especially if they are linked to channels with a lot of subscribers. Such accounts were in the cross-hairs of a recent wave of attacks. This post explains how it happens and what to do about it. Let’s go!
How are Telegram accounts hacked and stolen?
The short answer is: phishing. The user receives a message from a Telegram account with an official-sounding nickname (say, TelegramAdmin) stating that suspicious activity has been detected on their account and that the user must provide account confirmation or the account will be blocked. A link is provided to confirm the account.
Naturally, the link points to a phishing site with an address that seems trustworthy. It might be telegram-antispam.org or telegram-verification.site, or something like that.
The site looks like a carbon copy of the real Telegram login page at web.telegram.org. The user is prompted to enter their phone number, confirmation code, and, if two-factor authentication is enabled, password. In case of a forgotten password, the scammers ask the user to go through the normal password-recovery process — click a link, receive a recovery code from (the real) Telegram, and provide that code to (the fake) Telegram..
Once the victim enters all of this info, the scammers have everything they need to access the account and link it to another phone number. Along with the account, they get its channels.
How to protect your Telegram account
- Enable two-factor account authentication. It’s not a silver bullet, but it will make stealing your account harder.
- Be wary of messages from accounts that are not in your address book, and don’t follow suspicious links. Telegram administrator accounts have verification badges in the account information. If you receive a message supposedly from Telegram, but there is no such badge, it’s a scam. Another telltale sign is if Telegram prompts you about marking the message as spam. Obviously, the service won’t detect a message from itself as spam.
- Before entering personal info on any Web page, check that the connection is secure, and take a close look at the domain name of the page in the address bar. In this case, it should be telegram.org, not telegram-antispam.org, antispam-verification.com, or any such variant.
- Install a security solution with antiphishing capability on every device that permits it.