Foto seller.ozon.ru
The attack is already being used against users in various countries and does not require hacking into the service’s infrastructure.
According to CYFIRMA analysts, attackers register their own Telegram API keys (api_id and api_hash) and use them to initiate legitimate login procedures to user accounts. All requests go through the official messenger infrastructure, which makes it difficult to detect an attack at an early stage.
Attack scenarios
According to the researchers, the campaign is realized by at least two scenarios.
In the first case, the user is offered to authorize by means of a QR code visually designed in the style of Telegram. After scanning it, a new session is created in the mobile application and the attacker gains control over it.
In the second variant, the victim is persuaded to manually enter a phone number, a one-time confirmation code or two-factor authentication data. The information received is immediately transmitted through the official Telegram APIs to complete the login process.
The key element of the attack is the login confirmation stage. Telegram routinely sends a system notification to the user about the attempt to log in from a new device. At this point, the phishing resource that started the authorization process explains the notification as part of a “mandatory security check” or “account verification” and encourages the user to confirm the login.
As a result, the account owner clicks the confirmation button himself and officially authorizes access to his profile. From a technical point of view, such a session is considered fully legitimate.
Scaling and implications
According to CYFIRMA’s assessment, the campaign is built on a modular principle with a centralized backend. The domains used can be swiftly replaced without changing the underlying attack logic, making it difficult to lock down the infrastructure.
Once an account is compromised, attackers typically use it to send phishing emails to the victim’s contacts. This allows the attack to quickly spread further by exploiting trust between users.
