How one experienced developer lost his Telegram account in three days, and the second almost transferred 100 thousand rubles to his “friend”

Colleagues from the information security department of a financial organization told us how their IT specialists were recently attacked – we wrote this article together with a CISO who actively participated in the investigation.

It seems that IT professionals should have a better understanding of internet fraud due to the nature of the job, but having skills in developing or managing network devices does not make one immune from cyberattacks.

The first employee fell for the updated scheme with fake voting and gave his Telegram account to the scammers along with all correspondence. They tried to scam the second employee out of 100 thousand rubles, but he turned to his security team for help in time and saved the money.

Using examples of attacks, we will show why fake voting works even for seasoned specialists, how to protect yourself from the scheme and teach all employees to repel attacks.

To preserve the anonymity of the heroes, we will call them by other names.

Developer Slava votes for a “friend”, loses his account and nerves

Saturday. Morning. Developer Slava takes a break from everyday work and scrolls through Telegram – reads the news, forwards posts to friends and looks for where to go today. Suddenly Slava is added to an unfamiliar chat, where the organizer asks you to vote for him in a professional competition.

Intuition tells Slava that this is a scam, but he knows Igor, the owner of the chat, personally. This is a former colleague whom they saw in Innopolis. And he also knows several people from the chat from work. Slava has doubts, but still follows the link and votes for Igor.

Slava did not have time to take a screenshot of the correspondence, so we tried to restore the contents based on screenshots of other victims of a similar scheme

The vote has been counted. Nothing further happens, and Slava forgets about this incident.

Tuesday. Noon. Slava returns to his work laptop after lunch and sees the authorization window in Telegram.

“It’s strange, I didn’t log out of my account,” Slava thinks when he enters the phone number into the window. He waits for a confirmation code, but nothing comes. Already with growing anxiety, he opens Telegram on his phone and there he is greeted by the same screen.

Later, Slava will understand that on Saturday, scammers intercepted his session and quietly waited for three days to “kick out” the owner from all devices and take over the account. But now he's just trying to restore access.

Finally, Slava manages to log in, but for some reason only for 10 seconds, then reset again. This is repeated several times, Slava calls for help from colleagues from his company’s security team.

At this point, Telegram begins to act against the user: the scammers’ session becomes trusted, and the session from which constant login attempts come becomes suspicious.

18 hours after the hack was discovered, Slava and his colleagues manage to get hooked for a full five minutes—that’s enough to:

remove the attackers' email from your account settings;
link your backup email;
get a deactivation code;
deactivate your account and thereby terminate all sessions.

Slava lost hundreds of thousands of messages – personal correspondence, photographs, admin channels and much more that no one would want to part with. Of course, Slava eventually registered using his phone number again, but by this time the information from the old correspondence remained with the scammers forever.

The company may have disclosed sensitive information — in addition to personal chats, the scammers found out the details of Slava’s colleagues and managers and went through saved and pinned messages. If there was login information or customer data somewhere, this could result in a hack of the organization.

Let's now look at the attack again in diagram form:

Scheme of account theft through voting for “colleagues” in Telegram

Fraudsters can use compromised accounts in a voting scheme ad infinitum, while at the same time sending voice messages from them asking them to send money and blackmailing account owners.

It seems that Slava will never forget this Saturday

Some users from the chat were hacked using the same scheme with a three-day wait.

How another employee did not fall for tricks through voice messages

Tester Pasha receives a message from his former colleague Kostya asking him to transfer 100 thousand rubles to a number. The contact is not new and there is already correspondence with him, but the situation is suspicious.

Pasha consults with his colleagues and asks Kostya to confirm that it is really him – several come in response short voice messages. This has no effect on Pasha, and he tries to call Kostya on Telegram – he hangs up.

Kostya asks Pasha for money “for a couple of hours”

Pasha nevertheless copies the phone number from the chat to which Kostya asks to transfer money to him and enters this number in the mobile bank – an unfamiliar name comes up. Pasha decides to contact Kostya in another messenger and finds out that it has been hacked.

Other victims transferred a total of 300 thousand rubles, but not to the number specified in the chat, but to Kostya’s number known to them. Kostya returned the money.

How could Telegram protect its users from such attacks?

In the case of Slava and many other victims of account theft, it is clear that sometimes security settings in instant messengers can only make the work of scammers easier.

Here is a minimum set of things that Telegram developers could improve in the messenger’s security settings:

Configure Access and Refresh tokens so that the attacker’s session is not considered trusted. In the Slava Case, the scammers waited quietly from Saturday until Tuesday, because they knew that if they started the operation earlier, Slava would recognize them and calmly block access. Many cases of account theft refer to this vulnerability – if it is eliminated, the victims’ accounts can be saved.
Notify users about a new session not within Telegram, but via SMS or email. Slava may have received a notification about a new authorization, but the scammers could have immediately deleted this message. If Slava had found out about the login earlier, he would have managed to save the account.
Notify users about the importance of two-factor authentication (2FA). Almost a billion people use Telegram – given how often accounts are hijacked on Telegram, it makes sense to better communicate to users the importance of this setting.
Send newsletters about the latest fraud schemes. A short digest with a couple of tips can attract the attention of users and convince them to go into settings and protect their account.

There's a long wait for these updates, so let's take a look at what everyone can do to improve their account security right now.

How can I avoid falling for scammers on Telegram?

Kostya from the second case did not have a cloud password configured; he did not know about 2FA in principle. Slava knew about the safety rules, but decided to do a good deed for an old friend.

What conclusions can be drawn from their stories:

Do not enter personal information into forms. In the voting story, Slava entered his phone number and verification code into the form → the scammers copied his Access token → pasted it into the code on their device → gained access to the account. Therefore, it is better to refuse the “good deed” that requires codes and personal data from you.
Set up two-factor authentication. When the user logs in from a new device, Telegram will ask you to enter a cloud password – if the fraudster does not know it, but he the password is strong enoughthen no one will get into your account.
Create a cloud password hint – keep in mind that scammers will also see it, so make it clear only to you.

Checklist for scam with fake professional voting

If it used to be popular to vote in children's competitions, now scammers ask the victim's colleagues to vote for their adult colleagues. Of course, in such events, the nominees are evaluated by a jury, and there is practically no mechanism for collecting votes, but let’s look at the specific signs of this scheme in Telegram.

Red flags of a professional competition in Telegram

Inappropriate group name. To make channels difficult to detect using the keywords “voting” and “competition,” scammers name the groups neutrally – “Good evening,” “Good afternoon,” and “Good morning.”
Abstract competition. Typically, such competitions are run by large companies or professional organizations, and their names are included in the title of the competition. Fraudsters choose simple names, and in English: “Digital Woman”, “Marketing and PR Specialist”, “The Best Project Manager”.
Participants vote instantly. Perhaps scammers first hack several accounts and only then create groups. This way they can post about voting and how easy it was to encourage other participants.

An incomplete list of fraudulent sites with fake professional voting, as of April 2024 there are more than 400 of them (Source: FACCT Cyber Security Center)

alliance-capital24[.]ru

alliance-happy[.]ru

alliance-happy24[.]ru

alliance-headway[.]ru

alliance-headway24[.]ru

alliance-luck[.]ru

alliance-luck24[.]ru

alliance-moscow24[.]ru

alliance-online24[.]ru

alliance-people[.]ru

alliance-people24[.]ru

alliance-russia24[.]ru

alliance-success[.]ru

alliance-success24[.]ru

bizxp[.]ru *until April 2018 there was a connection with capital-alliance.ru

capital-alliance[.]ru

capital-alliance24[.]ru

capital-happy[.]ru

capital-happy24[.]ru

happy-alliance[.]ru

happy-alliance24[.]ru

happy-capital[.]ru

happy-capital24[.]ru

happy-moscow24[.]ru

happy-online24[.]ru

happy-people24[.]ru

happy-russia24[.]ru

happy-world24[.]ru

headway-alliance[.]ru

headway-alliance24[.]ru

luck-alliance[.]ru

luck-alliance24[.]ru

moscow-alliance24[.]ru

moscow-happy[.]ru

moscow-happy24[.]ru

online-alliance[.]ru

online-alliance24[.]ru

online-happy[.]ru

online-happy24[.]ru

people-alliance[.]ru

people-happy24[.]ru

russia-alliance[.]ru

russia-alliance24[.]ru

russia-happy[.]ru

russia-happy24[.]ru

success-alliance[.]ru

success-alliance24[.]ru

world-happy24[.]ru

Why both an accountant and an advanced developer may find themselves in the victim's place

It seems that if a person is used to working with code, knows the structure of infrastructures and, in general, is constantly versed in IT topics, then he will be better able to cope with an attack than an ordinary employee. In fact, anyone can trust a scammer, regardless of their position, if they do not undergo regular training in safe work skills.

Emotions force people of any profession and with experience in IT and information security to react to phishing

Phishing is based on emotions—psychological triggers that turn off a person’s critical thinking. In the case of voting, the victim is pressured to help, and messages from other participants act as social proof. If the fictitious accountant Nina Ivanovna knew about this scheme and went through a simulated attack, then she would have coped with a real attack better than Slava, who is seasoned in IT. With each new attack pattern, it becomes more difficult to create a profile of a typical hacker's victim.

What does the CISO of a financial institution think about all this?

It seems that the security of modern financial institutions comes down to DevSecOps and secure storage of client data. Companies with large development teams and a focus on microservice architecture really focus heavily on secure development. Now DevSecOps is the same trend as Security Awareness was ten years ago.

At the same time, personal safe work skills do not lose relevance – they still remain a large part of the company's “security package”.

We had a case where attackers sent a miner to a virtual machine, cracking the password in the system – the administrator sincerely believed that nine characters were enough for a complex password.

There were also employees who followed all the links and pressed any buttons, hoping for an antivirus.

Fortunately, in our case, the scammers were not able to hack the company through the IT specialist’s messenger account. It seems that account hijacking attacks are a pain for ordinary users, but anyone can be in their place. Even an IT-savvy person could not cope with a simple attack on Telegram.

It is possible and necessary to protect work correspondence by introducing corporate instant messengers, but do not expect that all employees will suddenly stop communicating in their favorite Telega.

Train employees to act safely where scammers are out there right now. Most training on the Security Awareness market is focused on simulated email attacks, but it is obvious to information security specialists that the arsenal of vectors needs to be expanded. Look for solutions that teach employees how to repel attacks and communicate safely on both Telegram and WhatsApp.

Conclusion

People are still the main vector of attacks. Hacking one Telegram employee does not seem to be a problem – but only until it is a top manager or an IT specialist with administrative access to all systems.

If a person does not have special skills and observation that turns off emotions and turns on suspicion, he can trust a scammer.

The Start AWR platform will help you work proactively with the human factor and train employees on all current attack vectors.

For example, in a course on working securely with instant messengers, we teach employees to recognize phishing messages, set cloud passwords, interrupt sessions, and do what we talked about in this article. You can assign this course to all employees on a free pilot.

Protect your employees with Start AWR