Telegram users have recently begun encountering various Telegram messenger hijacking schemes. Things usually start off with a message from one of their contacts containing a link to some site. The bait can be an invitation to take part in an online vote or contest, a Telegram Premium gift or trial version, a request to sign a collective petition, or something else. What all these schemes have in common is the need to authenticate via Telegram — either by entering one’s phone number and a messenger verification code, or by scanning a QR code. But that’s precisely what you should not do, otherwise you’ll likely lose your account.
How the hijackers do it
Of course, there are no contests, no petitions, and no gifts. And the message was not written by a contact, but by an attacker who’s already hijacked that contact’s account (perhaps in the same way).
The links sent by the cybercriminals are usually created using a URL shortener service. Such tools are often used when the sender doesn’t want the real address of a site to be seen. What’s more, anti-phishing tools find it harder to spot such links.
More often than not, the site looks pretty modest. The first page displays a message like “Sign in and vote” or “Free access to the trial version of Telegram Premium” — depending on the scheme in question. Next comes the messenger login screen. There are two variants here: those who opened the site on a desktop are prompted to log in using a QR code, while those on a mobile device are asked for their country and phone number. Sometimes (as shown in the screenshots) the attackers let the victim choose the more convenient option.
If you provide your phone number, the attacker’s scripts log in to your Telegram account from a new device. The messenger’s security mechanism requires user confirmation and sends a verification code to your phone or computer where Telegram is already authorized. With Telegram’s two-factor authentication (2FA) turned off, this code and the phone number are all that the attackers need to log into your account. If you enter this code on the fraudsters’ site, they’ll have full control over your account, including the ability to link it to another device.
With a QR code, it’s even more straightforward — a verification code isn’t even needed. The thing is, it’s not a QR code for logging in from your phone. What it is, in fact, is a code to connect an additional device or web session to your account. If you scan this code as per the instructions, the attackers will automatically log in to your account and take control of it.
If you’re curious about other common phishing tricks, check out our report on spam and phishing in 2022.
Why cybercriminals want your account
Your stolen account can be used in various ways. The most obvious is to send out more fraudulent links to your contacts, but there are other uses too.
For starters, your account is full of data that could be used in other criminal schemes. Via the desktop version of Telegram, the bad guys can export your contact list, personal data, chat history, or files you’ve uploaded and received — which can contain confidential information. For example, some people store document scans in Favorites for quick access.
After a little while, the hijackers might also call you and offer to return your account for a fee.
How to stay safe
To begin with, take care not to follow any suspicious links. And under no circumstances should you enter a Telegram verification code anywhere except in the Telegram app itself.
To make it a bit trickier to take over your account, we recommend enabling 2FA in the messenger. This will not interfere with day-to-day communication but will guard against login attempts from other devices by asking for an extra password, adding another layer of protection.
To enable 2FA in Telegram on your phone, go to Settings → Privacy and Security and tap Two-Step Verification. After that, it remains only to set a password, create an optional hint in case you forget it, set up a recovery e-mail, and enter a confirmation code that you’ll receive in your mailbox.
What to do if you took the bait
If you’ve already fallen for a scam and entered a code on a fake site, there’s still hope. By acting quickly, you can regain control of your account. Go to Settings → Devices and tap Terminate all other sessions.