Telegram’s blogging platform abused in phishing attacks

phishing

Telegram’s anonymous blogging platform, Telegraph, is being actively exploited by phishing actors who take advantage of the platform’s lax policies to set up interim landing pages that lead to the theft of account credentials.

Telegraph is a blogging platform that lets anyone publish anything without creating an account or providing any identification details.

While this provides anonymity to the publisher, it also opens itself up to widescale abuse by threat actors for their own campaigns.

The published Telegraph posts generate a link that threat actors may distribute in whatever way they choose, but there’s no central location to promote these posts to the community. Hence, Telegraph is fast, simple, and anonymous.

Moreover, because Telegraph’s editor supports the addition of images, links, and offers text formatting options, one could make a blog post appear like a web page, including login forms.

Phishing pages

According to a report by INKY shared with Bleeping Computer before publication, phishing actors use Telegraph extensively to create phishing sites that look like website landing pages or login portals.

INKY’s data from the end of 2019 until May 2022 shows that the inclusion of Telegraph links in phishing emails has been going through a steep rise recently, as over 90% of all detections occurred this year.

The phishing email delivery rates are excellent because these links are hosted on Telegraph, a platform not marked as dangerous or suspicious by any email security solutions.

In many cases, INKY noticed that the phishing emails came from hijacked email accounts, so blocklists on known scam addresses were bypassed.

In most of the recorded cases, the goal of phishing actors is to conduct cryptocurrency scams or harvest the account credentials of their targets.

The cases seen by INKY vary greatly, indicating that Telegraph’s abuse is coming from multiple groups/actors, not a specific threat cluster.

One example is a OneDrive notice that leads to a realistic-looking Microsoft login page where the victim is prompted to enter their account credentials.

One Drive alert on Telegraph
Falsified OneDrive alert on Telegraph (INKY)
Microsoft account phishing portal
Microsoft account phishing portal (INKY)

In another case, INKY saw an extortion message that threatened that they would leak private files if the recipient did not pay a ransom. The payment portal is directly hosted on Telegraph, offering multiple payment options for the scammed victims.

Cryptocurrency scam payment on Telegraph
Cryptocurrency scam payment on Telegraph (INKY)

How to protect yourself

Phishing actors constantly experiment with new avenues that might raise their chances of success. They often achieve this goal by combining stolen email accounts and free sites like Telegraph.

For this reason, users shouldn’t trust an email just because it passed through protections. If it has a link in the body, hover the cursor over it to see where it redirects before clicking.

Whenever you end up on a site that asks for your account credentials, confirm that you have landed on the official login portal before typing anything in the boxes.

Finally, remember always to stay calm and never jump into action. There’s no such thing as an online urgency that doesn’t allow a few moments to look into potential signs of a scam.