Telegram Hijack Attack Targeting Armenian Users

March 26, 2024

This report details a phishing campaign targeting Telegram users in Armenia, aiming to gain access to their accounts.

Attack Vector

The attack begins with unsolicited messages forwarded by already hijacked Telegram accounts to their contacts in Armenian. The attacker claims to be participating in a contest and requests the user’s vote, providing a malicious obvuscated URL, displayed as hxxps[://]DAXCEARM[.]WVE.  

Armenia -- Screenshot of a Telegram Phishing SMS, Yerevan, 26Mar2024

 

The actual URL, however, is this one: hxxps[://]cutt[.]ly/Hw2lLLHa. It is a shortened URL, using the service https://cutt.ly/, which has increasingly been used in phishing attacks in Armenia. Upon loading, the short URL will redirect to a Telegram hijack page, which in the initial stages of the attack surprisingly was in the Uzbek language: hxxps[://]dolbaebshesp[.]in/.

Armenia -- A fake Telegram login page, 26Mar2024

At a later stages of the attack the URL started rending an Armenian version of the fake login page.

Armenia -- A fake Telegram login page in Armenian, 26Mar2024

When the user submits their phone number, they are presented with a screen requesting a security code, mimicking the legitimate Telegram login process.

Armenia -- Fake Telegram code request page, Yerevan, 26Mar2024

If the attack is successful, a new authenticated session appears in the victim’s Telegram account under the “Devices” section.

The attackers can then use this access to send similar messages to the victim’s contacts, propagating the attack further.