Telegram’s ease of use and encrypted chat groups make it a safe haven for amateur cybercriminals. Cybersecurity researchers at vpnMentor have published a new report looking at how the secure messaging app How To Hack Telegram has become a home for hackers to trade stolen data and tips on how to exploit it.
Ease of use — In the report, vpnMentor highlights caches of stolen website data it found by combing through hacker groups on the platform. The group says that Telegram chat groups sometimes feature thousands of members sharing such data.
The rise of Telegram as a hacker’s paradise can be attributed in part to its ease of use and anonymous nature. The company promotes the encryption of chats and the ability to self-destruct messages after a brief period of time. Users can also share files directly in the app, rather than using some other hosting provider that could shut them down. Together, these features make it an ideal place for even inexperienced code monkeys to drop stolen data.
Companies like Facebook have promoted private messaging and groups as a solution to the toxicity of feeds, but messaging apps like Telegram and Facebook’s own WhatsApp similarly allow harmful content to spread — except in semi-private communities that are harder to police.
Casual hacking — The “dark web” as it’s called, has historically been the home of hackers because special technology masks a user’s IP address and makes it difficult to trace them down. But getting onto that part of the internet is complicated and unintuitive.
vpnMentor fears that the rise of open, casual hacking discussions on Telegram could grow the pool of people who become interested in cybercrime — a rising threat in the United States that has caused major disruptions to serious infrastructure, such as gas shortages caused on the East Coast after hackers attacked a pipeline attack and demanded a bitcoin ransom.
vpnMentor advises that Telegram do more to crack down on such hacking groups. And it warns users that Telegram’s corporate leaders have not been transparent about what type of data they collect from users — so, share your illicit activities at your own risk.
Telegram is one of the most used messaging apps out there. There are round 200M users using its service. Telegram promotes itself as a private service, and as being very secure. If you go to their webpage, you will see the following.
But one of the ways it designed its login processes has been used by hackers to steal users’ data of politicians around the world. And it is serving as a way to uncover political corruption, and as well as a political tool.
Want to read this story later? Save it in Journal.
The most recent scandal just happened in Puerto Rico. Governor Ricardo Roselló resigned after his Telegram account was hacked, and a corruption scandal related to Federal funds for hurricane relief and as well as messages with profanity were released to the public:These are some of the leaked chat messages at the center of Puerto Rico’s political crisisPuerto Rico’s embattled Gov. Ricardo Rosselló is rejecting calls to step down after the leaks of hundreds of derisive…
The same hack happened in Brazil with top officials. Chats were released of the Secretary of Justice, and a total of 1000s Telegram accounts seem to have been compromised:Telegram voicemail hack used against Brazil’s president, ministers | ZDNetFour suspects have been arrested in Brazil this week for hacking into over 1,000 Telegram accounts, including some…
The problem is that Telegram system allows users to sign in only via a code that is sent via text message. Hackers are exploiting this vulnerability by spoofing other users phone numbers.
Hackers might get a SIM card with the victim’s number. But that is easy to track and it is hard to get access to many accounts. But a new technique allowed Brazilian hackers to access 1000s of accounts without going to a carrier.
Let’s check how they did it. Looking at their testimonial (in Portuguese), we can see that they got access to the users account by spoofing victims’ voicemail by using a service called BRVoz.
First, they figured out how to spoof someone’s voicemail. Voicemail security is extremely weak. If you don’t set up a PIN code for your own voicemail, you can easily go directly to someone’s voicemail. Voice mail prompts can also be accessed via caller ID spoofing. With the advent of caller ID, many voicemail systems have been created that simply check the number calling in and base authentication on that match. Caller ID spoofing services like Spoofcard.com allow people to make it appear that their phone number is the same as the digits they are dialing, making it extremely easy to access someone else’s voicemail.
Even if you setup a PIN code, usually the code is a 4 digit long, meaning that an attacker can just brute force the PIN code with only 10,000 tries.
Now with the access of the victim’s voicemail, the attacker just needs to receive Telegram’s code via voicemail. If the phone is offline at a single moment Telegram will send the code to the victim’s voicemail. Hackers can check if the victim’s phone is offline by sending silent SMS.
You can disable someone’s system by flooding their system by sending a ton of silent SMS, making the phone unavailable (a SMS flooding attack).
The following video shows how to access someone’s account step-by-step:Step by step how the attack happens
One of the biggest personalities in Brazil had his Telegram account hacked as well. In a tweet, he unveils the fact that he got a call from his own number, meaning that the attackers spoofed his number to get access to his voicemail. That confirms that hackers were getting access to users’ accounts by spoofing their voicemail.
It is surprising that not many other accounts have been compromised, but if Telegram won’t fix this issue, hacks will keep happening. If you are a Telegram user, I would recommend strongly to set up 2FA.
UPDATE (July 30): Telegram contacted me to inform that as of recently it is only possible to request code via call if your account is protected with two-step verification and cannot be accessed without knowing an extra password. For more information visit: https://telegram.org/faq#getting-a-code-via-a-phone-call