Search This Blog

Showing posts with label Telegram. Show all posts

Toxic Eye Malware is Utilizing Telegram

 

As of 2021, numerous users left WhatsApp for messaging to various other applications that promised improved data protection only after the company announced that it might default share user metadata with Facebook. Many of those users turned to Telegram and Signal, which proves to be the competitive applications against WhatsApp. 

As per Sensor Tower, Telegram was perhaps the most installed application with over 63 million downloads in January 2021. Telegram chatting is still not encoded as in Signal Chat end-to-end encryption is there, but now Telegram does have another issue: malware. 

Software Check Point team recently found that cybercriminals use Telegram for something like a malware program named Toxic Eye as a communications platform. It turns out that certain aspects of Telegram are much more readily accessible by attackers than it is by web-based tools. Today, they have handy Telegram Bots to mess up with compromised machines. 

Toxic Eye is a kind of malware known as a remote access trojan (RAT). RATs can remotely monitor an intruder over an infected machine, which means that the attacker could steal host computer data, destroy, or copy files, hamper the operations of an infected machine, and much more. The Toxic Eye RAT is distributed through an e-mail with an encoded EXE file to a destination. The software installs the malware on the user computer if the target users access the file. 

RATs are comparable to programs of remote access and can be used to control user devices, for instance, by someone in technical support. However, even without authorization, these programs sneak in. They could imitate or hide with legitimate files that sometimes are concealed as a document or are inserted in a broader video game file. 

Attackers used Telegram to remotely manipulate malicious software. Check Point analyst Omer Hofman claims that from February until April 2021 the company found 130 Toxic Eye attacks with this tool, and some items make Telegram valuable to bad players who distribute malware. 

The firewall program doesn't obstruct Telegram. The network control tools are also not blocked. It's a user-friendly app that most people recognize as genuine, then let their guards down. 

The researcher's advice is that one must not access email attachments from unidentified senders, which raises suspicion. Also, take care of appendices containing usernames. Malicious emails also contain the username or an attachment title in the subject line. It is possibly malicious if the sender attempts to sound urgent, dangerous, or compulsive and forces the user to click upon a link or attachment or to provide sensitive data. If possible, then one must use anti-phishing tools.

RedLine Stealer: Masquerades as Telegram Installer

 

The .Net-based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. 

Stealers are pieces of malicious code written with a hit-and-run mindset, intending to find something of value on an infected computer and return it to its owner. These sinister viruses usually infect through a second-stage payload or by masquerading as legitimate apps. One such stealer is Redline Stealer, which is often used by attackers to steal credentials from unsuspecting users.

According to Minerva, RedLine Stealer employs evasive techniques to bypass the security products, which begins with the unpacking process. The fake setup file is packed and highly obfuscated, like most of the .Net malware. No known packer is found using Detect-It-Easy, implying that the unpacking must be performed manually. 

Most of the variable and function names were scrambled after decompiling the malware, making it difficult to understand the code. The packer developer also decided to implement control flow flattening into the packer in order to make any reverse engineering effort truly miserable. Control flow flattening takes the normal program control flow and modifies it using numerous if/while statements. 

Packers typically use stenography or encryption in their arsenal, what appears to be malformed image files are actually the malicious payload, which is decoded and decrypted by a custom algorithm in the resources directory. 

The payload data is concealed inside the RGB values of image pixels. The first pixel contains the size of the meaningful data inside the image, while the others include the actual data. 

After decoding the image, the packer decodes the payload with the RC2 cipher, revealing and loading a file called "Lightning.dll" into memory. An object named "GameCore.Core" is instantiated from the in-memory DLL file, and inside it, a function named "Game" receives yet another image file from the binary's resources directory, along with a hardcoded key. 

The "Game" feature decrypts the final payload and then uses process injection to load the malware into another process's memory space. The payload is then identified, and it is fully un-obfuscated, which allowed seeing its C&C address in cleartext, Minerva reported.

ToxicEye: Trojan Abuses Telegram to Steal Data

 

The Telegram service is being exploited by operators of a new Remote Access Trojan (RAT) to keep control of their malware. ToxicEye is a ransomware that uses Telegram as part of its command-and-control (C2) infrastructure to steal data. 

In a blog post published on Thursday, Check Point Research's Omer Hofman stated that the latest remote malware has been seen in the wild, with over 130 attacks reported in the last three months.

Telegram is a communication platform and instant messaging service that has recently seen a boost in popularity as a result of the recent controversy surrounding WhatsApp's data-sharing policies with Facebook. The platform, which has over 500 million monthly active users, has also proven popular among cybercriminals who use it to distribute and execute malicious software. 

ToxicEye operators start the attack chain by creating a Telegram account and a bot. Bots are used for several tasks, such as reminders, searches, issuing orders, and launching surveys. In this case, however, the malware's configuration includes a bot for malicious purposes. 

According to researchers, "Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user's device back to the attacker's C2 via Telegram." 

Phishing emails with malicious document attachments are sent to intended victims. ToxicEye is launched if a victim allows the resulting malicious.exe file to be downloaded. The ToxicEye RAT has a variety of features, which include the ability to search for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as pass and deletes files, disable PC processes, and hijack task management. 

Furthermore, the malware can install keyloggers and gain access to microphones and camera peripherals to capture audio and video. The researchers discovered ransomware characteristics such as the ability to encrypt and decrypt victim data. 

The user should check for "C:UsersToxicEyerat.exe" if suspects an infection. This applies to both personal and business use, and if a file is discovered, it should be deleted immediately. 

Researchers stated, "Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.

Malware Campaign Targets Telegram Desktop Application

 

An independent security researcher based in Basel, Switzerland, Jannis Kirschner, began to look for the widely known Telegram desktop version on the internet on Sunday. The second Google result was an advertisement, which led him directly to malware cloaked as a Telegram for Windows desktop version. At first sight, it was sufficiently convincing for Kirschner to say that "almost fell for it myself." 

Malware vendors are habituated to use the same publicity tools that online businesses use to attract people. To stop such abuse, Google patrols its advertising ecosystem, but malware advertising is still an ongoing problem. Although a visit by telegramdesktop[dot]com to one of those sites now triggered an alert from the Google Safe Browsing service, that the two sites were unsafe and potentially still active and duplicated others. These include the telegraph[dot]net and the telegram[dot]org. The websites were reported to Google by Kirschner. 

Each of these three spoofed websites is Telegram's clones. All links on cloned sites are redirected to the legitimate Telegram domain, design.telegram.com. But one link is exchanged which is supposed to be the execution for the Telegram Desktop version of Windows. 

"A repo probably was a bad choice for delivering malware since it's very verbose (download numbers, time, and other documents)," Kirschner says. "The biggest opsec mistake was that they didn't clean one of the repo's metadata, which led me to discover commit messages and their e-mail [address]."

He further adds that "I believe that it is the same threat actor or group since the TTPs [tactics, techniques, and procedures] are the same, and all sites have been established in a very close timeframe using the same hoster and certificate authority." 

At least a temporary benefit is offered to host malware on platforms such as Bitbucket: surface links are often deemed to be genuine, and attackers are subject to a malicious reservoir that needs to be removed until someone reports it. The techniques help cover a technological filtering and manual screening campaign, but don't always measure properly, says Kirschner. 

A February 2020 report by the security firm Cybereason reported over half a dozen newcomers, crypto miners, ransomware, and other malware put on Bitbucket by bad actors. 

The telegramdesktop[dot]com website seems to be shared with Moldova. Kirschner says this domain was registered on 29 December 2020. A search in the Wayback Machine of the Internet Archive, reveals that telegramdesktop[dot]com was redirected to the rightful domain telegram.org in April 2018. However, according to DomainTools records, the domain expired in October 2018. 

"I assume that domain once belonged to Telegram themselves, expired and was taken over by the criminals now," Kirschner further says.

Sift Exposes New Telegram Fraud Scheme to Exploit Restaurants and Food Delivery Apps

 

As the popularity of food delivery apps is increasing with each passing day so is the revenue,  as a consequence, these apps have been on the hit list of scammers. Sift, a US-based digital trust and safety firm has stated that it has spotted a fraud scheme where scammers leverage the chatting app Telegram to steal from restaurants and food delivery apps.

Sift’s Digital Trust and Safety experts discovered that threat actors are promoting their services on Telegram forums to buy food and beverage orders at steep discounts, using stolen payment information on behalf of clients.

The methodology used by fraudsters

Professional scammers advertise in Telegram forums, such as ‘Fraud Market’ that they can illicitly buy food and beverage orders at a steep discount, typically 60-75% off. Diners who are tempted to take advantage of this offer direct-message the scammers along with a screenshot of their food app shopping cart and their delivery address to place the order.

The scammer accepts the order and the diner pays the scammer using cryptocurrency such as Bitcoin or Ethereum via PayPal, Venmo, or Cash App and the scammer covers the whole cost via a new account, stolen credit card information, or a hacked account.

Brittany Allen, trust and safety architect at Sift explained that “the Dark Web can be difficult to access and with frequent marketplace shutdowns by law enforcement, bad actors are looking for new places to commit a crime. End-to-end encrypted messaging platforms like Telegram are attractive options as they are more accessible and it is easier to go undetected when committing low-level fraud.”

Sift experts disclosed that from the third quarter to the fourth quarter of 2020 there was a 14% increment in payment scams targeting restaurants and food delivery apps. This is not the first scheme that Sift experts have uncovered to exploit the restaurants and food delivery services.

Cyber Criminals trying to hack Russian popular Telegram channels using ads from GeekBrains

 The owners of the Telegram channels noted that scammers under the guise of advertising offers send malicious files.

" In particular, they can be represented by advertising managers of the GeekBrains educational platform", Nikita Mogutin, the co-founder of the Telegram channel Baza (more than 310,000 subscribers), wrote on Facebook. Owner of the Telegram channel Madonna (more than 9500 subscribers) Madonna Moore said that five scammers write to her a day. She also published the text of correspondence with a person who introduced himself as a representative of GeekBrains. 

GeekBrains has received many complaints about fraud on behalf of the company and has already sent out warnings to agencies and bloggers, said Elena Toropina, head of the company's marketing department. In her opinion, the attack on the channels is connected with the growth of the online education industry, which spends a lot of money on advertising.

Kaspersky Lab reported that the attachments sent by the attackers contain a Trojan virus. 

"If the victim runs the file, a program will be installed on the computer that will steal the accounts stored on it and provide fraudsters with hidden remote control of the Telegram channel", told Yaroslav Kargalev, deputy head of the Group-IB incident response center. According to him, scammers can also change the phone number in the channel's account to get full control over it.

Most often, channel theft is needed to publish links to malicious resources in the Telegram channel or to get a ransom, said Sergey Trukhachev, head of the special services unit of Infosecurity a Softline Company.

"The increase in the activity of scammers may be associated with the influx of new users to Telegram", noted Kargalev.

Telegram downloads have increased dramatically as WhatsApp has added a clause to its rules that allows users to share their personal data with Facebook. Moreover, the growing popularity of Telegram is due to the fact that supporters of Donald Trump, who was blocked in many social networks, have "flowed" there.

Telegram founder Pavel Durov called the sharp increase in the number of new users "the largest digital migration" in human history. In the first week of January, Telegram's monthly audience overcame the mark of 500 million active users.

Earlier, E Hacking News reported that Pavel Durov advised users to remove WhatsApp from smartphones. He called the WhatsApp application unsafe.


WhatsApp Clients Resort to Other Messaging Platforms

 

WhatsApp has told its two billion clients they should permit it to share information with its parent organization Facebook if they wish to keep utilizing it. All WhatsApp clients would not be able to proceed with the service except if they accept the new terms by 8 February. The stage said the update will empower it to offer features, for example, shopping and payments. 

Message platforms Signal and Telegram have both seen a gigantic surge in downloads around the world over after a questionable update to WhatsApp's terms and conditions. 

As per information from analytics firm Sensor Tower, Signal was downloaded all around the world multiple times the week before WhatsApp declared the change on 4 January and 8.8 million times the week after. This included big surges in India, where downloads went from 12,000 to 2.7 million, the UK from 7,400 to 191,000, and the US from 63,000 to 1.1 million. In a progression of tweets, Signal said a few people were detailing issues with creating groups and postponements to verification codes showing up in light of the fast development but that it was addressing the issues. 

Telegram has proved to be even more popular, with downloads booming all around the world from 6.5 million for the week starting 28 December to 11 million over the next week. In the UK, downloads went from 47,000 to 101,000. Furthermore, in the US they went from 272,000 to 671,000. During the same period, WhatsApp's worldwide downloads shrank from 11.3 million to 9.2 million. 

One industry watcher said he didn't think this fundamentally spoke to a major issue for WhatsApp, which has been downloaded 5.6 billion times since its launch in 2014. 

"It will be hard for opponents to break user habits, and WhatsApp will keep on being one of the world's most popular and broadly utilized messaging platforms," said Craig Chapple, mobile insights strategist at Sensor Tower. 

WhatsApp reassured its clients that it doesn't keep logs of every individual who is messaging, it can't see your shared location, it doesn't share your contacts to Facebook, and that groups can stay private. It likewise exhorts clients that they actually have the choice to set messages to disappear and that they can't download their information. WhatsApp's clarification may figure out how to reassure a few clients that the privacy changes aren't as troubling as first dreaded, yet for other people, it might have come past the point of no return.

Researcher Exposes Telegram's Location Bug, Company Say It's a Feature

An expert who observed that messaging platform Telegram's "People Nearby" feature revealed risk of accurate user location, is now informed that the feature is "working as expected." Users who use the "People Nearby" feature can view a list of other telegraph users within a short mile radius. Users can also find local group chats.  

Ahmad Hassan used a software that allowed him to fake the location of his Android phone, using it, he found locations of individuals from three different points. He used trilateration to pinpoint exact user location. Using this method, Ahmed could get accurate location of the users, including their home addresses, which is quite easy.  Hasan had found the issue hoping to get Bug Bounty as a reward, instead, he was told that the Telegram users share their locations intentionally i the "People Nearby" section. To determine the exact location of the users, one can expect sometimes to find it under certain conditions.  

But Hasan says that when a user allows "People Nearby" location, he is indirectly posting his residential address online. Many of the users are unaware of this information while they are using the feature. He also believes a widespread problem exists where hackers or users with malicious intent can use fake locations to join local group chats, and attack users with spams or phishing attacks using malicious links. It includes fraud links and fake Bitcoin investments, which is a proof to the poor app security.  Telegram claims that their platform is "more secure than mass market messengers like WhatsApp and Line." 

However, Telegram fails to mention the risks that can arise from malicious users. Others apps in recent times have also experienced the location issue.  The Register reports, "obtaining the location of nearby users is not an issue exclusive to digital devices. A stranger may follow someone home, for example. It is also not so long ago that a huge printed directory of local names, addresses, and telephone numbers used to be delivered to almost every home in many countries – and in the UK BT's online Phone Book service still offers a person search, including address details for those who have not opted out."

The European Commission added VKontakte and Telegram to the list of pirate sites

VKontakte is surprised by the decision of the European Commission to include the social network in the list of resources that contribute to online piracy, the company has been interacting with copyright holders for many years and quickly restricts access to controversial content

The European Commission has published a new list of resources that promote piracy and can benefit from it. The list for the first time included the Telegram messenger and the social network VKontakte.

The list is formed on the basis of reports from groups of right holders. According to the European Commission, Telegram users, including using public channels, "exchange illegal content, in particular music, books, news publications, films and TV programs." In addition, subscribers share links to other sites that host pirated content.

The social network "VKontakte" is also included in the list due to many complaints from copyright holders. Users of the social network can have unauthorized access to books, as well as to movies and TV shows, in particular through the built-in video players.

Both Telegram and VKontakte objected to their inclusion in the"piracy watch list". Telegram told the European Commission that it "does not tolerate any malicious content on its platform" and removes it within 24 hours. VKontakte also noted that it is fighting piracy. In particular, the social network indicated that the copyright holder can complain about copyright infringement through an electronic form. According to VKontakte, its employees processed more than 1.36 million such complaints, most of which ended with the removal of content.

"We are surprised by the inclusion of VKontakte in this list, as for many years we have been actively interacting with copyright holders in various areas," said the press service of the social network.

According to them, the company signed agreements with the world's largest copyright holders of music products, including Universal Music, Sony Music, and Warner Music, The Orchard, Merlin Network, Believe Digital.

Hackers attacked major Telegram channels via video on Yandex

 On November 10, hackers conducted a major attack on popular Telegram channels. Reddit's administrators completely lost access to the channel, to which 236 thousand people were subscribed. The attackers used the old scheme: they simply sent the Trojan-infected file to the administrators

Hackers stole the Telegram channel of the Reddit forum, administrators could not log in to the control panel. The Telegram channel Baza was also attacked, but the attackers failed to gain access to the channel.

The hackers had the following scheme: they offered to buy advertising space, but first they asked to watch a video with their materials, which could be downloaded from Yandex.Disk. The document could not be opened on a mobile device, and hackers offered to download it to a desktop computer.

After launching the file, the owner of the Reddit channel with 236 thousand subscribers was no longer able to access it.

General Director of the lab Studio.AG Artem Geller explained that this is a very old method of fraud, and Windows is an object for such files. Hackers, under various pretexts, send material containing malware. It allows access to the entire operating system if the victim opens the file. In this particular case, the attackers were interested in Telegram, so the Reddit account was stolen.

Can't blame Yandex.Disk for missing the Trojan. According to Geller, about 300,000 new viruses appear every day in the world, so it's simply impossible to catch them all. Moreover, it may not be a new virus, but a modification of the old one. At the same time, the Trojan has no task to destroy the computer system.

Cloud storage is a convenient way for fraudsters, because they can upload a file of any size there, unlike email. Unprotected, unencrypted files without passwords are loaded into these vaults.

According to the information security expert Alexander Vlasov, we must remember one thing: those who provide the service for free, never sign up to the fact that they will protect your files. Yes, they are trying to track malware, but within the general outline of the ecosystem.

Apple denied Durov's statement about the request to block Telegram channels about Belarus

The founder of Telegram, Pavel Durov, accused Apple of trying to "avoid responsibility for complying with its own rules" by using "tricky language". Durov wrote about this in his Telegram channel.

Earlier, Durov said that the Corporation requested the blocking of three channels dedicated to Belarus. They published photos and personal data of security forces and members of election commissions who, according to the authors, committed violations in the elections. The total number of subscribers was about 100 thousand.

According to Durov, Apple's "trick" lies in the company's claim that it does not require disabling three Belarusian channels that disclose the personal data of security forces involved in suppressing protests. Apple requires not to publish posts that disclose personal information. However, Durov notes, the company does not mention that these channels consist entirely of such posts.

"By hiding its requirements in vague words, Apple is trying to avoid responsibility for complying with its own rules", said the founder of Telegram.

"It's time for Apple to learn to take responsibility for its policies, rather than trying to hide them from users,” added he.

According to Durov, he would prefer to keep these channels. The founder of Telegram suggested that they will eventually be blocked on devices using the iOS operating system, but the channels will remain available on other platforms.

According to Apple, the company received complaints from users that their personal data, including names and phone numbers, was transmitted through channels. These complaints were passed to the messenger team, asking them to remove information that reveals someone's personal data on the Internet without their consent, as well as content aimed at specific people.

Telegram did not raise any objections, but promised to check this information and inform Apple about the results of the check.

Earlier, E Hacking News reported that a group of hackers threatens to bring down the tax, energy and banking systems of Belarus if the head of state Alexander Lukashenko does not comply with the ultimatum.

Telegram Takes Down Islamist Propaganda on its Platform, Extremist Groups Struggle


The social networks and US military have imposed high regulations to control Islamist propaganda on social media and have been able to take down Islamic State terrorist groups. After this move, experts say these groups are now struggling to recover their control on the mainstream social media apps and networks. As most of the major social networking sites have choked the group, the Islamist group has tried to build its propaganda on small sites. But even there, it has met by strong regulations by the authorities. According to Europol, an EU (European Union) law agency, the social networking companies have tried to bring down these Islamist propaganda content growing on their websites, in an attempt to take down the extremist group activities on social media.


Europol, in its report, said, "While Google and Instagram deployed resilience mechanisms across their services, Telegram was the online service provider receiving most of the referral requests during this Action Day. As a result, a significant portion of key actors within the IS network on Telegram were pushed away." These extremist groups used Telegram as their primary platform of propaganda until 2019.

According to Europol, Telegram had removed up to 5000 terrorist profiles and bots in two days, in an effort against shutting down the Islamist propaganda. Earlier, it was only able to take down 200-300 accounts on average. After that incident, the extremist groups moved towards more covert apps like the Russian "TamTam" and "Hoop Messenger." Canada hosts these websites. The IS, in apparent desperation, has also started using chat services designed for blockchain developers to spread their messages. In 2016-17, the US cyber command took action against these extremist groups. It shut down recruitment groups and suppressed their further attempts to spread the messages.

Currently, the US cyber command has presidential approval to combat IS propaganda with cyberattacks. They have also widened their jurisdiction area since then. "In the past year and a half, Telegram has also put forth a considerable effort to root out the abusers of the platform by bolstering its technical capacity in countering malicious content and establishing a close partnership with Europol," says Europol.

Pavel Durov called on Apple to oblige to install different application stores


Apple should allow users to install apps not only from its own App Store. This opinion was expressed by the founder of Telegram messenger Pavel Durov. According to him, Tim Cook (CEO of Apple) should be obligated to this at the legislative level.

The day before, high-ranking Telegram Manager, Vice President of the company founded by Pavel Durov, Ilya Perekopsky, spoke at a panel discussion with Russian Prime Minister Mikhail Mishustin and representatives of the IT industry in Innopolis. He said that Apple and Google are holding back the development of startups by charging a tax of a 30 percent Commission from app developers. Almost simultaneously with Perekopsky's speech, Durov published an article in which he called for Apple to be legally obliged to install an alternative App Store on the iPhone.

Durov is sure that if this is not done, then app developers, in particular, from Russia, will be forced to sell their startups for little money. At the same time, Apple's capitalization will only grow.
“Preventing two supranational corporations from collecting taxes from all of humanity is not an easy task. Corporations employ thousands of lobbyists, lawyers, and PR agents, and their budgets are unlimited. At the same time, app developers are scattered and scared, as the fate of their projects depends entirely on the favor of Apple and Google," wrote Pavel Durov.

The head of the TelecomDaily information and analytical agency Denis Kuskov noted that changing the market is quite difficult because these two companies are leading it. Therefore, Durov needs to accept this fact.

Durov recalled that in 2016, Apple banned the Telegram team from launching its own game platform: "We had to remove the telegram games catalog that we had already created and almost the entire platform interface, otherwise Apple threatened to remove Telegram from the AppStore." According to Durov, in a similar way the iPhone manufacturer does with many other developers.

Telegraph service was unblocked in Russia


Russia stopped blocking the popular Telegram messenger almost a month ago. However, the related Telegraph service continued to be blocked. Now Russia has also unblocked the Telegraph platform for publishing and creating articles. 

The Telegraph platform was launched by the Telegram team in November 2016. It is designed to quickly create and publish articles, notes, and other similar content, a link to which can then be easily shared. Registration is not required for publication.

The blocking of the Telegra[.]ph service in Russia began at the end of 2018, a little later than the Telegram messenger.

According to the Roskomsvoboda resource, which closely monitors the registry of blocked sites, all pages with the Telegra.ph domain, which were blocked in Russia by the decision of a particular authority, are now excluded from the blocking registry. The last two similar pages were removed from the blacklist only on July 11.

It is interesting to note, according to Press Secretary of the President of Russia Dmitry Peskov, the cancellation of restrictions on access to the Telegram messenger in Russia is perceived positively in the Kremlin, as it is in line with the course of President Vladimir Putin on the development of the high-tech industry.

The Press Secretary of the Head of State also noted as a positive fact the participation of heads of the company that owns the messenger in government events on the development of the IT industry.
Recall that in Russia since April 2018, Telegram was blocked for non-compliance with the requirements for providing encryption keys, but during the coronavirus pandemic, the government began to use the messenger to distribute official information. In this regard, the State Duma even introduced a bill to unblock Telegram.  On June 18, Roskomnadzor decided to remove restrictions on access to the messenger, the creator of which, Pavel Durov, congratulated the Russians on this event.

IM Platforms Increasingly Used by Threat Actors in Place of Dark Web Marketplaces


Researchers at IntSight have discovered that IM platforms such as WhatsApp, Telegram, Discord, IRC, and Jabber are being used by cybercriminals for advertising and putting their goods and services on sale. One of the major reason as to why cybercriminals are switching to these IM platforms from the conventional ones is 'law enforcement practices'; law enforcement operations have been targeting online darknet markets one after another. Earlier in 2017, the world's largest dark web market, AlphaBay was taken offline, sending darknet users into chaos. Immediately after, the cyberspace witnesses the shut down of Hansa, another major darknet market. As more and more major dark web markets went offline due to the law enforcement penetrations, cybercriminals are wisely migrating to new platforms.

Although threat actors are loving IM platforms, the regular cybercrime sources such as dark web markets, credit card shops, and forums are still witnessing their web usual traffic. These platforms have more advantages such as chatbots, fewer rules, and automated replies due to their core nature, unlike IM platforms that are majorly meant for communication.

While giving insights, Etay Maor, IntSights CSO, said, "Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums."

"Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also a trade of physical items stolen or counterfeited from organizations in the retail industry.” He added.

“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.” Maor further explained.

Telegram has withdrawn its appeal against the ban on issuing Gram tokens


The company appealed the court decision in March, but then the founder of the messenger, Pavel Durov, announced the termination of work on the blockchain project

Telegram has withdrawn an appeal against a court order banning the distribution of Gram tokens as part of proceedings with the US Securities and Exchange Commission (SEC). The decision was supported by both parties, the withdrawal was carried out using the standard form based on rule 42.1 — "leaving without consideration".

The appeal was sent in March after a court banned Telegram from issuing Gram tokens.  The court ruled in favor of the SEC, which argued that the Gram tokens were unregistered securities. The court also ruled that Telegram cannot issue tokens even outside the United States since this will give US citizens the opportunity to buy these tokens outside the country as well.

The founder of Telegram in an American court said that people outside the US can vote for their presidents and elect their own parliaments, but they are still dependent on the US when it comes to technology and finance.

On May 12, the founder and CEO of Telegram Pavel Durov announced the termination of work on the blockchain project. He accused the US court of sentencing the TON project before it could be successfully implemented. Investors were offered to return 72% of their investment or sign a loan agreement with a return of 110% in a year.

After that, TON investor Vladimir Smerkis said that the majority of ICO participants are inclined to file a lawsuit against Durov. Smerkis allowed an option in which the Telegram team will need to make concessions to investors and reconsider the option of paying out funds.

Let's remind that on April 1, Federal Judge of the Southern District of New York, Kevin Castel, rejected Telegram's request to clarify the possibility of distributing Gram tokens bypassing American investors.

WhatsApp and Telegram Group Links Leaked Online



A security researcher recently discovered that a lot of WhatsApp and Telegram Group invite links that may not be up for public viewing are appearing in multiple search engines like on Google, Yahoo, Yandex, and Bing.

On Friday, researcher Jordan Wildon, a multimedia journalist at Deutsche Welle warned that owing to a critical issue, several illegal groups and activities along with genuine private groups were exposed.

In the light of the leak, various security measures have been taken by both the companies, however, to erase the links from public searches completely so that they are no longer discoverable by people to join will require much more efforts.

This critical flaw not only abused the privacy of the aforementioned messaging apps by exposing around 450,000 groups online but also allowed data mining as the phone numbers were made available directly.

Notably, these messager apps' invite links have been indexed by several search engines. Due to this indexing feature, WhatsApp and Telegram group invite links are also being displayed publicly by these search engines and the visibility increased the reach even further. Two major happenings took place due to these leaked links – Unwanted and uninvited people joined various groups through the invite links and it also paved an easy path for hackers to discover other conversations through brute force attacks.

While addressing the issue, WhatsApp has seemingly removed the invite links for groups from Google and the company also took other steps in order to prevent indexing.

Wildon took to Twitter to provide updates, "JUST IN: Google appears to have removed indexing of WhatsApp links. Other major search engines appear to still be indexing chat links."

"UPDATE: This has been fixed on Google, but results are still available elsewhere. If you’re concerned, I’d recommend going into group settings, tapping “Invite to Group via Link” then “Reset link”. he tweeted.

Pavel Durov again warned about the danger of using WhatsApp


Pavel Durov claims that the hacking of the iPhone of Jeff Bezos, the richest man in the world, occurred due to vulnerabilities in WhatsApp. Facebook which owns the messenger insists that the leak is related to the Apple device itself.

The reason for the leak of personal photos and correspondence of the founder of Amazon and the richest man in the world, Jeff Bezos, is a vulnerability in the encryption system of WhatsApp, not problems with Apple gadgets. Telegram founder Pavel Durov wrote about this in his Telegram channel.

This is how he reacted to an interview with Vice President of Facebook's Global Policy Department Nick Clegg, who said that Bezos confidential data leak was due to the iPhone. "We are confident that end-to-end encryption technology cannot be hacked," he said.

Durov recalled that a few months ago he talked about the vulnerabilities of WhatsApp, which, in his opinion, eventually led to the hacking of Bezos smartphone. At the same time, Facebook then assured that there is no evidence that attackers used this vulnerability. According to the founder of Telegram, the backdoor in WhatsApp allowed access to personal messages and photos of the richest man in the world.

Durov explained that the vulnerability used during the hacking of Bezos phone existed not only on iOS, but also on smartphones with Android and Windows. In addition, it is not available in other messengers.

Durov also accused WhatsApp management of using the phrase "end-to-end encryption" as a "magic spell" that automatically makes correspondence secure. He pointed out that the technology itself does not guarantee complete privacy. For example, WhatsApp developers may intentionally leave vulnerabilities in the app at the request of security forces from different countries. As a result, WhatsApp has no problems with the authorities, and Telegram is banned in some countries like Russia and Iran.

Russian Telegram Accounts Hacked by Intercepting One Time Password (OTP)


According to a firm Group-IB, in the last few weeks a dozen Russian entrepreneurs saw their Telegram accounts hacked. And what's disturbing is the way these accounts were accessed. The attackers intercepted the codes used to authenticate user and give access.

A Telegram App logo in QR code

 How the attackers gained access?

In normal procedure, whenever someone logs into Telegram using a different device, a one-time password (OTP), is texted to them and the user can log into their account using this secret code. Now, these hackers managed to access this one-time secret code and snooped on Telegram chats of various users.

Dmitry Rodin, one of the victims of this attack, runs a coding school in Russia. He told the media, he was given a warning by telegram, that someone is trying to access his account. He ignored the notification but another notification came saying some has successfully logged in from Samara, Russia, he immediately terminated all active sessions except for his.

Like Group-IB, he also believes that there was a problem with the telecom operators or his phone was hacked and not the messaging app Telegram. “Perhaps someone logged into my account by intercepting the SMS, which suggests that there might be a problem on the side of the telecom operator,” he said. “This means that other accounts using SMS as an authentication factor are also threatened.” 13 such cases have been reported so far.

"However, this number is likely to increase since we are speaking about a new threat, which has just started spreading,” a company spokesperson said.

 Is SS7 being abused?

The most worrying part is that One-time password (OTP) were hacked, if this hypothesis is indeed true then we are looking at a very big security threat as this technology is used in many log-ins and financial transactions. Another hypothesis is that victim's devices were hacked and the attackers were spying on their messages but Group-IB found no traces of such activity on the victims' phones. And thus Group-IB is tilting towards a mobile network SS7, that's being abused.

Forbes reported, "Think of SS7 as the part of telecom infrastructure that deals with shifting users between networks as they travel abroad. It also manages the changes in charges when traversing different nations’ networks. But in recent years, hackers have learned that if they can get leverage on that network they can silently intercept text messages. Previously, such attacks have been used in bank account breaches and by surveillance companies."

Now, this same network could be used for hacking Telegram accounts.

 Selling access to accounts on the dark web 

Group-IB also suspects that access to these accounts is being sold on the dark web-based Hydra forum for 3,900$ as well as selling access to WhatsApp messages and user info. Now, they think that these could be linked.

“What made us think that the attacks might have something in common with these advertisements is the fact that the incidents coincided with the time the posts were published,” the company spokesperson added.“But we cannot rule out that there are far more connections between these  two events, which is yet to be established in the course of an investigation.”