Thousands of Armenian users of the Telegram application were subjected to a phishing attack today. Below are the details of the attack.
The attack starts when one of your contacts sends a message as in the screenshot below:
This usually means that your contact has already been attacked and their account has been compromised. The message isn’t actually from your friend, but from an advertising bot called Post Bot.
The text of the message is simple: “please vote for me” and some link, for example, like this hxxps[://]th[.]link/4U8po, or like this hxxps[://]th[.]link/4U7ZK (links were defanged).
When generating the link, a Russian link shortening service was used: th.link, which is branded with the Russian https://targethunter.ru/ marketing agency. Although the https://th.link service does not pose any threat itself, a number of anti-virus vendors mark it as phishing, which may mean that unscrupulous users are abusing it to generate phishing links.
Once opened, these links take the user to phishing addresses on the uz-golos.shop or vote-arm.shop domains. Both domains (the number of them may increase) are registered by onlinenic.com and have the following notation as the place of registration: “pos.-Belovodsk-Belovodskij-r-on,-Luganskaja-obl.” In addition, both domains use Cloudflare as DNS hosting and automatically redirect to Google.com when trying to load the main page, which means that many anti-virus programs, when trying to open the page and find it on Google, consider it a safe. Moreover, even sub-links are considered safe, for example, in our case, hxxps[://]uz-golos[.]shop/number4, which is already clearly phishing.
The actual phishing attack looks like this:
Step 1
Step 2
Step 3
