Phishing actors are aggressively using Telegram’s anonymous writing platform, Telegraph, to set up temporary landing sites that lead to the theft of account information.
Telegraph is a blogging platform that allows anyone to post anything without having to create an account or provide any personal information.
While this gives the publication anonymity, it also exposes the publisher to widespread exploitation by threat actors for their own campaigns.
Threat actors can distribute the links generated by the published Telegraph pieces in any way they want, but there is no central area where these posts can be promoted to the community. As a result, Telegraph is quick, easy, and anonymous.
Furthermore, because telegraph’s editor allows for the addition of images, links, and text style options, a blog post might be made to look like a web page, complete with login forms.
Pages that are phishing
Phishing actors employ Telegraph extensively to develop phishing sites that look like website landing pages or login gateways, according to a report by INKY provided with Bleeping Computer before publication.
According to INKY’s data from the end of 2019 to May 2022, the use of Telegraph links in phishing emails has been on the rise recently, with over 90% of all detections occurring this year.
Because these links are hosted on Telegraph, a platform that is not flagged as harmful or suspicious by any email security solutions, the phishing email delivery rates are good.
Block lists on recognized scam addresses were overcome in several cases because INKY noticed that the phishing emails came from hijacked email accounts.
The purpose of phishing actors in the majority of cases is to commit bitcoin frauds or capture their targets’ account information.
INKY has seen a wide range of cases, indicating that Telegraph’s abuse is coming from a variety of groups/actors rather than a single danger cluster.
A OneDrive alert, for example, leads to a realistic-looking Microsoft login page, prompting the victim to input their account details.
In another case, INKY discovered an extortion message threatening to release private files unless the addressee paid a ransom. The payment gateway is hosted directly on Telegraph and provides defrauded victims with a variety of payment choices.
How to Safeguard Yourself
Phishing actors are always looking for new ways to improve their chances of success. They frequently accomplish this by merging stolen email accounts with free sites like as Telegraph.
As a result, consumers should not trust an email simply because it has passed through security measures. Before clicking on a link in the body, hover your cursor over it to see where it redirects.
Before typing anything into the fields on any site that asks for your account credentials, double-check that you’ve arrived at the official login portal.
Finally, always maintain a calm demeanor and avoid taking action. There’s no such thing as an internet emergency that doesn’t enable you to take a few minutes to investigate potential scam indications.
