We won't be hijacked: how to protect your Telegram account from hacking and theft

[Father]

There is an opinion that Telegram is one of the most secure instant messengers. Nevertheless, attackers have long learned how to hack and steal accounts, gain access to personal correspondence and chat content. How this happens, why someone should hack your Telegram account, and how to protect yourself from attacks are described in the article.

How accounts are stolen​

To break into Telegram, attackers can use a whole arsenal of tools: from social engineering to intercepting SMS messages and getting infected with viruses. They come up with new schemes for deception, find out passwords, exploit vulnerabilities in the application and people's ignorance of the basic rules of safe behavior on the Internet. We'll look at these methods in more detail below.

Phishing​

Phishing is one of the easiest methods to use. Attackers send messages of various contents, for example, it may contain a "gift" in the form of a Telegram Premium subscription. The recipient clicks the button to receive a gift and receives an authorization code, ostensibly to activate the subscription. After entering the numbers, the scammers get access to his account and send letters on his behalf to the contact list.

Konstantin Larin
Head of the Cyber Intelligence Department at Bastion

The most common type of "hijacking" of a Telegram account is not SMS code interception, but ordinary phishing. The victim receives a message, usually from a fake friend's account, with the content: "Please follow the link and vote for my niece in the kindergarten drawing contest https://........". The victim follows the link and is asked to log in to Telegram ostensibly to protect against vote fraud. A naive user enters their phone number, SMS code, and cloud password. Then, on the attacker's side, the Telegram session is restored using this data, and as a result, we have a compromised account. Usually, attackers quickly upload all the data of the Telegram account (chats, files, media data, etc.). After that, there were cases when the compromised account was used for further distribution to the victim's contacts. In this case, the credibility of the phishing message is higher, since the account is not fake.

To achieve better results, scammers use a more individual approach to the victim, rather than sending messages with the same text. To do this, attackers study the available information on the Internet about a person in advance and use it during correspondence. Some use neural networks to create voice messages using the voice of the owner of the hacked account. Scammers also create chatbots that supposedly represent official brands, marketplaces, or the Telegram administration.

Marina Probets
Internet analyst at Gazinformservis

The most recent case, when the attacker knew the full name and position of the head of the company, created a fake account in Telegram, where he called himself the head of the company, then wrote a message to the alleged employee and asked him to follow phishing links.

If a person clicked on the link, they would be asked to follow instructions that would cause the user to lose access to their account or Telegram channel forever.

So in the summer of 2023, teachers and health workers began to receive phishing emails more often. Scammers registered an account in Telegram, signed it with the name of the head doctor or school director, and put their photos on the avatar. Then they wrote messages to employees of the organization that they would be contacted by a curator from the relevant Ministry or a law enforcement officer, whose questions they needed to answer. However, in most of these cases, scammers were not interested in user accounts, but in their money.

Text message interception​

In 2019, the computer forensics laboratory Group-IB reported a number of incidents of hacking Telegram. The incidents occurred on iOS and Android devices, regardless of which mobile operator the victim used. In all cases, the only authentication factor was SMS. First, the user received a message from the official Telegram channel with the login code. Then you received an SMS with the activation code and a notification about logging in to your account on a new device. Group-IB reported that the attackers used mobile Internet (possibly disposable SIM cards) to gain access to the victim's account.

Marina Probets
Internet analyst at Gazinformservis

To intercept the SMS code, the attacker connects to the SS7 network of any foreign operator. When sending the SRI4SM service command to the network channel (specifying the victim's number as a parameter), the attacker receives a response with technical information from the subscriber's home network, which allows you to find out what services and subscriptions are connected to the victim.

Further, having all this data, it remains only to register the victim's number in a fake VLR, simulating that the subscriber is roaming and has registered in a new network. After that, the attacker can receive SMS messages sent to this subscriber.

Attackers can carry out such attacks by gaining access to special equipment for intercepting SMS messages or using insider information from employees of mobile operators.

Konstantin Larin
Head of the Cyber Intelligence Department at Bastion

When attackers intercept an SMS code, they use a fake cellular service point and must physically be close to the victim subscriber and force their device to switch to a less secure 2G mode, then encryption is disabled and the SMS code is intercepted.

If the account is important to you, then you should register it only on the SIM card that you have in your hands, and also prohibit the operator from re-issuing the SIM card without your physical presence and written application.

Malicious programs​

In the message, an attacker can send a link, archive, or file that hides an intruder program. The victim clicks on a link or file and the login details are passed to the fraudster.

Additional difficulties lie in the fact that many users use the function of automatic loading of content from sent messages.

Vulnerabilities in the app​

In the spring of 2022, several Telegram channels, including thematic publics and mass media, were hacked. Messages of the same content appeared in them. The media reported that the reason was the Crosser Bot and Controller Bot telegram bot added to the channels, which the attackers got access to.

We are talking not only and not so much about Telegram vulnerabilities, but about third-party services that, in particular, are used by community administrators. If Telegram has its own bug bounty program and information security team, then such services, as a rule, do not.

Why do attackers need access to your account?​

Hacking your Teleram account allows you to access chats other than secret ones, as well as channels and all media files in chats. And there may be several reasons for hacking:

• extort money from the victim for the account refund. If a fraudster gained access to your account, was able to throw you out and change your password, then they can blackmail you by disclosing confidential data.
• get access to a major channel. By hacking the account of the administrator of a large channel, attackers will be able to publish any posts, place links with viruses in them, or sell the channel.
• get confidential commercial or personal information to use for your own purposes.
• get access to your contacts. This will allow you to send out spam ads or emails on behalf of the victim asking them to transfer money.

Attackers also earn money by offering to hack their Telegram account for a certain amount. You can order this service on the darknet.

Protection against hacking​

For account security, first of all, two-factor user authentication must be enabled. You can enable it in your profile settings. To do this, go to the "Privacy" tab, then select "Cloud Password" and set a strong password.

Konstantin Larin
Head of the Cyber Intelligence Department at Bastion

To protect your Telegram account from hacking, we recommend enabling two-factor authentication. The second factor in Telegram is implemented as a cloud password. In other words, after entering the SMS code, you must also enter your password. As a password, it is important to specify unique characters that were not used in other services. Since attackers can collect all passwords from leaks of various services.

Also, most operators have the option of using an additional virtual number, which is important not to confuse with eSIM. You can link a critical Telegram account to such a number. In this case, SMS codes will be sent not via cellular communication, but to the operator's app, which will increase the security of the account.

In addition to two-factor authentication and a complex password, a number of precautions should be observed:

• don't click on suspicious links and and don't open files;
• be suspicious of messages about winnings, gifts, and favorable offers with the elimination of goods, even from friends;
• update the app to the latest version on time;
• if you lose your phone, contact your mobile operator and lock the SIM card;
• do not share your username and password with third parties;
• regularly check active sessions and connected devices.

In all suspicious cases, make sure that the sender is who they say they are before performing any actions. To do this, contact your friend by phone or in another messenger.

Marina Probets
Internet analyst at Gazinformservis

Basic security measures must be followed. For example, the cloud password should not be stored in a text file on your computer, and the account should be registered to a separate phone number that will not be "highlighted" on the network.

Simple precautions will help you save your account, nerves, and money.

What should I do if my account has already been hacked​

There are obvious signs that indicate that someone has logged in to your account. Users note the following cases::

• I can't log in to my account;
• a text message with an access code is sent to your phone;
• you are being kicked out of messenger;
• new subscriptions appeared, chats or messages disappeared;
• messages are sent and posts are published on your behalf.

When an attacker logs in to your account, their device will appear in the list of connected devices. To check if there are any suspicious logins to your Telegram account, go to your profile settings, then select "Privacy" and the "Active Sessions" tab. You will see a list of devices that are logged in to your account.

If you find suspicious devices, the first thing you need to do is terminate all other active sessions except your own. Telegram has a built-in security mechanism that prevents an attacker from completing existing active sessions within 24 hours. Therefore, it is important to quickly detect an unwanted "guest" and close their access in time before they kick you out of your account.

Check if you have two-factor user authentication enabled. Create a new cloud password or change the old one.

If you didn't manage to detect the fraudster in time, they ended your session and changed your password, then contact Telegram technical support. If you can't get your account back and you risk large amounts of money or reputational losses, then you can delete your account by contacting the Telegram developer company. If you delete your account, you will lose all chats and their contents.

Conclusion​

Access to the Telegram account is an attractive target for attackers. Social engineering and phishing links are most often used for hacking. To protect yourself from hacking, be sure to use two-factor authentication with a strong cloud password. In addition, do not forget about the rules of digital hygiene — do not click on suspicious links and do not enter the cloud password and authorization code on any sites other than the official app.

The user can check in the settings at any time whether there are illegal connections to the account. If intruders are detected, you must terminate all active sessions except your own and change your password.