Warning Against Smishing Campaign for Exfiltration of Korean Telegram Accounts

In 2024, approximately 3 million Korean users are using Telegram. As many users use this program, threat actors are attempting to exfiltrate telegram accounts. 

AhnLab’s Mobile Analysis department introduces this smishing campaign that has been active since 2023 which is one of the methods for exfiltrating Telegram accounts.

Figure 1. Smishing message stating that has a user has violated of Telegram’s terms of service

Figure 1 shows the campaign of August 2024, which is a phishing message sent by threat actor falsely claiming ‘You have violated the Telegram’s terms of service. Use the following link to re-login.’

Upon clicking the link sent from the message, the user is redirected to a website that looks similar to that of the actual Telegram. To make the website’s domain look like the actual one, it is named as ‘taiegram’ (see Figure 2).

 

Figure 2. Official Telegram website (left) and phishing website (right)

The phishing website requires the user to enter the users’ country and the cellphone number. Upon entering the information, the login code is automatically sent via the installed Telegram. This website then requires the user to enter this login code. 

Figure 3. Login code sent by the Telegram app (left) and the phishing website page (right)

 

Upon entering the login code, this information is sent to the threat actor. Thus, the Telegram account is exfiltrated by the threat actor, which may lead to secondary damage such as leakage of personal information and chat history.

Besides the ‘violation of terms of use’, smishing messages use various phrases such as ‘security risk’, ‘account re-authentication required’, and ‘update required’ to prompt users to access the phishing websites. Thus, users must be aware of these smishing cases to avoid damage, and users must practice particular caution by applying Two-factor authentication within Telegram.