{"id":25206,"date":"2023-02-16T18:19:51","date_gmt":"2023-02-16T12:49:51","guid":{"rendered":"https:\/\/www.kaspersky.co.in\/blog\/telegram-takeover-contest\/25206\/"},"modified":"2023-02-16T18:20:08","modified_gmt":"2023-02-16T12:50:08","slug":"telegram-takeover-contest","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.in\/blog\/telegram-takeover-contest\/25206\/","title":{"rendered":"How Telegram accounts are hijacked"},"content":{"rendered":"<p>Telegram users have recently begun encountering various Telegram messenger hijacking schemes. Things usually start off with a message from one of their contacts containing a link to some site. The bait can be an invitation to take part in an online vote or contest, a Telegram Premium gift or trial version, a request to sign a collective petition, or something else. What all these schemes have in common is the need to authenticate via Telegram \u2014 either by entering one\u2019s phone number and a messenger verification code, or by scanning a QR code. But that\u2019s precisely what you should not do, otherwise you\u2019ll likely lose your account.<\/p>\n<h2>How the hijackers do it<\/h2>\n<p>\nOf course, there are no contests, no petitions, and no gifts. And the message was not written by a contact, but by an attacker who\u2019s already hijacked that contact\u2019s account (perhaps in the same way).<\/p>\n<p>The links sent by the cybercriminals are usually created using a URL shortener service. Such tools are often used when the sender doesn\u2019t want the real address of a site to be seen. What\u2019s more, anti-phishing tools find it harder to spot such links.<\/p>\n<p>More often than not, the site looks pretty modest. The first page displays a message like \u201cSign in and vote\u201d or \u201cFree access to the trial version of Telegram Premium\u201d\u00a0\u2014 depending on the scheme in question. Next comes the messenger login screen. There are two variants here: those who opened the site on a desktop are prompted to log in using a QR code, while those on a mobile device are asked for their country and phone number. Sometimes (as shown in the screenshots) the attackers let the victim choose the more convenient option.<\/p>\n<div id=\"attachment_47196\" style=\"width: 1674px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-47196\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/36\/2023\/02\/16181922\/telegram-takeover-contest-site-EN.jpg\" alt=\"A cybercriminal site asking how you'd like to lose your account: by QR code or by entering a phone number.\" width=\"1664\" height=\"708\" class=\"size-full wp-image-47196\"><p id=\"caption-attachment-47196\" class=\"wp-caption-text\">A cybercriminal site asking how you\u2019d like to lose your account: by QR code or by entering a phone number.<\/p><\/div>\n<p>If you provide your phone number, the attacker\u2019s scripts log in to your Telegram account from a new device. The messenger\u2019s security mechanism requires user confirmation and sends a verification code to your phone or computer where Telegram is already authorized. With Telegram\u2019s two-factor authentication (2FA) turned off, this code and the phone number are all that the attackers need to log into your account. If you enter this code on the fraudsters\u2019 site, they\u2019ll have full control over your account, including the ability to link it to another device.<\/p>\n<p>With a QR code, it\u2019s even more straightforward\u00a0\u2014 a verification code isn\u2019t even needed. The thing is, it\u2019s not a QR code for logging in from your phone. What it is, in fact, is a code to connect an additional device or web session to your account. If you scan this code as per the instructions, the attackers will automatically log in to your account and take control of it.<\/p>\n<p>If you\u2019re curious about other common phishing tricks, check out our <a href=\"https:\/\/securelist.com\/spam-phishing-scam-report-2022\/108692\/\" target=\"_blank\" rel=\"noopener\">report on spam and phishing in 2022.<\/a><\/p>\n<h2>Why cybercriminals want your account<\/h2>\n<p>\nYour stolen account can be used in various ways. The most obvious is to send out more fraudulent links to your contacts, but there are other uses too.<\/p>\n<p>For starters, your account is full of data that could be used in other criminal schemes. Via the desktop version of Telegram, the bad guys can export your contact list, personal data, chat history, or files you\u2019ve uploaded and received\u00a0\u2014 which can contain confidential information. For example, some people store document scans in Favorites for quick access.<\/p>\n<p>After a little while, the hijackers might also call you and offer to return your account for a fee.<\/p>\n<h2>How to stay safe<\/h2>\n<p>\nTo begin with, take care not to follow any suspicious links. And under no circumstances should you enter a Telegram verification code anywhere except in the Telegram app itself.<\/p>\n<p>To make it a bit trickier to take over your account, we recommend enabling 2FA in the messenger. This will not interfere with day-to-day communication but will guard against login attempts from other devices by asking for an extra password, adding another layer of protection.<\/p>\n<p>To enable 2FA in Telegram on your phone, go to <strong>Settings<\/strong> \u2192 <strong>Privacy and Security<\/strong> and tap <strong>Two-Step Verification<\/strong>. After that, it remains only to set a password, create an optional hint in case you forget it, set up a recovery e-mail, and enter a confirmation code that you\u2019ll receive in your mailbox.<\/p>\n<h2>What to do if you took the bait<\/h2>\n<p>\nIf you\u2019ve already fallen for a scam and entered a code on a fake site, there\u2019s still hope. By acting quickly, you can regain control of your account. Go to <strong>Settings<\/strong> <strong>\u2192 Devices<\/strong> and tap <strong>Terminate all other sessions<\/strong>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>How to keep cybercriminals out of your Telegram account.<\/p>\n","protected":false},"author":2710,"featured_media":25208,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[2196,9],"tags":[2716,2187,587],"class_list":{"0":"post-25206","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threats","8":"category-tips","9":"tag-account-hijacking","10":"tag-accounts","11":"tag-telegram"},"hreflang":[{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/telegram-takeover-contest\/25206\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/telegram-takeover-contest\/20706\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/telegram-takeover-contest\/27866\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/telegram-takeover-contest\/25544\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/telegram-takeover-contest\/25999\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/telegram-takeover-contest\/28438\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/telegram-takeover-contest\/34472\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/telegram-takeover-contest\/11368\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/telegram-takeover-contest\/47195\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/telegram-takeover-contest\/20180\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/telegram-takeover-contest\/20812\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/telegram-takeover-contest\/29806\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/telegram-takeover-contest\/33347\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/telegram-takeover-contest\/25714\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/telegram-takeover-contest\/31578\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/telegram-takeover-contest\/31293\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.in\/blog\/tag\/telegram\/","name":"telegram"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/25206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/users\/2710"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/comments?post=25206"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/25206\/revisions"}],"predecessor-version":[{"id":25207,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/posts\/25206\/revisions\/25207"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media\/25208"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/media?parent=25206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/categories?post=25206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.in\/blog\/wp-json\/wp\/v2\/tags?post=25206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}