Telegram Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/telegram/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 06 Oct 2023 05:08:48 +0000 en-US hourly 1 https://wordpress.org/?v=68225 200474804 Spyware in Fake Telegram Apps Infected Over 10 million Users https://gridinsoft.com/blogs/fake-telegram-apps-spyware/ https://gridinsoft.com/blogs/fake-telegram-apps-spyware/#respond Tue, 12 Sep 2023 14:12:15 +0000 https://gridinsoft.com/blogs/?p=16863 It is important to exercise caution when using messenger mods. There have been reports of spyware disguised as modified versions of Telegram on the Google Play Store. This malware designed to extract sensitive information from compromised Android devices. Despite these risks, many users still blindly trust any app verified and published on Google Play. We… Continue reading Spyware in Fake Telegram Apps Infected Over 10 million Users

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

]]>
It is important to exercise caution when using messenger mods. There have been reports of spyware disguised as modified versions of Telegram on the Google Play Store. This malware designed to extract sensitive information from compromised Android devices. Despite these risks, many users still blindly trust any app verified and published on Google Play. We have repeatedly warned about the dangers of downloading apps from Google Play. It could result in inadvertently downloading a Trojan, a backdoor, a malicious subscriber, and other harmful software.

Trojanized Telegram Clients Spread on Google Play

Telegram’s Play Store version is identified with the package name "org.telegram.messenger," while the direct APK file downloaded from Telegram’s website is associated with the package name "org.telegram.messenger.web". Malicious packages named “wab,” “wcb,” and “wob” were used by threat actors to trick users into downloading fake Telegram apps. Despite looking like the authentic Telegram app with a localized interface, infected versions contained an additional module. That was missed by Google Play moderators. A few days ago, experts revealed that a malware campaign called BadBazaar was using such rogue Telegram clients to gather chat backups.

Examples of fake Telegram apps:

Security experts have recently discovered a number of malicious apps on Google Play that claim to be versions of Telegram in Uyghur, Simplified Chinese, and Traditional Chinese languages. These apps have descriptions written in their respective languages and contain images that are very similar to the official Telegram page on Google Play, making it difficult to distinguish them from the genuine app.

The devs of these fake apps promote them as a faster version of a regular client, citing a distributed network of data centers worldwide. They use this as bait to persuade users to download the mods instead of the official Telegram app.

Examples of fake Telegram apps
Simplified Chinese, Traditional Chinese, and Uyghur versions of Telegram on Google Play with spyware inside

How dangerous are fake Telegram apps?

Millions of users have downloaded apps that were found to have malicious features. Among other things, malicious copies have functionality to capture and transmit sensitive information such as names, user IDs, contacts, phone numbers and chat messages to a server controlled by an unknown actor. Experts who discovered this activity have codenamed it Evil Telegram. Google has since taken down these apps from its platform.

Nonetheless, the poor app moderation problem in Google Play has persisted for almost a decade. You can upload literally whatever you want – even malware – and it may be deleted only after numerous reports saying it is malicious. And there’s still no guarantee that the reports will be processed in a suitable time; some rogue apps remain in GP for months. For that reason, the threat will most probably resurface later, especially considering the growing popularity of Telegram.

How to stay safe?

Here are some important tips to keep yourself safe from infected versions of popular messaging apps and other threats that target Android users:

  • As I’ve just said, Google Play isn’t completely immune to malware attacks. However, it’s still a much safer option than other sources, so always download and install apps from official stores.
  • Before installing any app, even from official stores, please take a closer look at its page and ensure it’s legitimate. Pay attention to the app’s name and developer. Cybercriminals frequently apply typosquatting or spoofing in order to spread their malware.
  • Reading negative user reviews is a good way to identify potential issues with an app. If there’s a problem with an app, someone has likely already written about it. Also try searching for reviews on the web. There are plenty of sites where you can leave your feedback without any censorship from the developer or Google. Using several independent sources will give a more clear view.

The post Spyware in Fake Telegram Apps Infected Over 10 million Users appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fake-telegram-apps-spyware/feed/ 0 16863
Legion Hacker Tool Used to Steal Data from Poorly Protected Websites https://gridinsoft.com/blogs/legion-hacker-tool/ https://gridinsoft.com/blogs/legion-hacker-tool/#respond Wed, 19 Apr 2023 09:37:11 +0000 https://gridinsoft.com/blogs/?p=14289 Experts have discovered a Python-based Legion hacking tool that is sold via Telegram and is used as a way to hack into various online services for further exploitation. Let me remind you that we also wrote that Microsoft Told How To Detect The Installation Of The BlackLotus UEFI Bootkit, and also that Experts discovered ESPecter… Continue reading Legion Hacker Tool Used to Steal Data from Poorly Protected Websites

The post Legion Hacker Tool Used to Steal Data from Poorly Protected Websites appeared first on Gridinsoft Blog.

]]>
Experts have discovered a Python-based Legion hacking tool that is sold via Telegram and is used as a way to hack into various online services for further exploitation.

Let me remind you that we also wrote that Microsoft Told How To Detect The Installation Of The BlackLotus UEFI Bootkit, and also that Experts discovered ESPecter UEFI bootkit used for espionage.

Attacks with Legion Hacker Tool

According to Cado Labs researchers, the Legion malware has modules for enumerating vulnerable SMTP servers, conducting remote code execution (RCE) attacks, exploiting unpatched versions of Apache, brute force cPanel and WebHost Manager (WHM) accounts, as well as interacting with the Shodan API and abusing AWS services.

The researchers say the malware shares similarities with another malware family, AndroxGh0st, which was first discovered by cloud security provider Lacework in December 2022.

Last month, SentinelOne published an analysis of AndroxGh0st, which showed that the malware is part of the AlienFox toolkit, which is offered to criminals to steal API keys and secrets from cloud services.

Legion appears to be part of a new generation of cloud credential harvesting and spam utilities. The developers of these tools often steal code from each other, making attribution difficult.experts

In addition to using Telegram to extract data, Legion is designed to hack web servers with CMS, PHP, or PHP-based frameworks such as Laravel.

It is capable of obtaining credentials for a wide range of web services such as email providers, cloud providers, server management systems, databases, and payment platforms, including Stripe and PayPal.Cado Labs' report.

Other targeted services include SendGrid, Twilio, Nexmo, AWS, Mailgun, Plivo, ClickSend, Mandrill, Mailjet, MessageBird, Vonage, Exotel, OneSignal, Clickatell, and TokBox.

Legion hacker tool
Services being attacked by Legion

In addition, Legion extracts AWS credentials from insecure or misconfigured web servers and sends spam SMS to users of US operators, including AT&T, Sprint, T-Mobile, Verizon, and Virgin.

What’s the matter?

The main goal of the malware is to use the infrastructure of hijacked services for subsequent attacks, including bulk spam mailings and opportunistic phishing campaigns.

The researchers also discovered a YouTube channel (created June 15, 2021) containing tutorial videos on Legion. Experts conclude that “the tool is widespread and most likely is paid malware.”

Legion hacker tool
“Educational videos” published by the hacker

The location of the creator of this tool, who uses the Telegram nickname forzatools, remains unknown, although the presence of comments in Indonesian in the code indicates that the developer may be Indonesian or located in that country.

The post Legion Hacker Tool Used to Steal Data from Poorly Protected Websites appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/legion-hacker-tool/feed/ 0 14289
Attention! Top 11 Latest Telegram App Scams to Watch Out For https://gridinsoft.com/blogs/top-11-latest-telegram-scams/ https://gridinsoft.com/blogs/top-11-latest-telegram-scams/#comments Mon, 12 Sep 2022 18:59:02 +0000 https://gridinsoft.com/blogs/?p=10487 With more than 550 million active users, Telegram is one of the most popular messengers in the world. However, its popularity and high level of security have also made it a favorite among hackers and scammers. Scammers use social engineering tactics to get you to reveal personal information (PII) such as your credit card number,… Continue reading Attention! Top 11 Latest Telegram App Scams to Watch Out For

The post Attention! Top 11 Latest Telegram App Scams to Watch Out For appeared first on Gridinsoft Blog.

]]>
With more than 550 million active users, Telegram is one of the most popular messengers in the world. However, its popularity and high level of security have also made it a favorite among hackers and scammers. Scammers use social engineering tactics to get you to reveal personal information (PII) such as your credit card number, social security number (SSN), or two-factor authentication codes (2FA) for cryptocurrency and social media accounts. So, what are the most common Telegram scams to watch out for? And how do you distinguish a Telegram imposter from a legitimate friend or contact?

What are Telegram Scams?

Telegram scams are schemes that either operate within the Telegram app itself or lure users from the app to a dangerous third-party site. Scammers flock to Telegram because of its popularity and ease of use. All you need to sign up is a phone number. Scams range from traditional phishing schemes to sophisticated bot attacks masquerading as legitimate customer service agents. Here are examples of the most common methods of fraud in Telegram:

  • Phishing attacks. A Telegram user is posing as someone the victim would trust (such as a friend, colleague, or support agent) to trick the victim into revealing their personal information.
  • Off-Platform Fraud. Someone sends the victim a link or asks them to go from the Telegram platform to a “safer site”. Cybercriminals could use this site to steal your personal information or even infect your device with malware.
  • An attack through a Telegram bot. Because Telegram allows users to create bot accounts, many fraudsters use them to target vulnerable legitimate accounts. In 2020, the resource administration blocked about 350,000 accounts of bots due to their use by fraudsters and criminals.
  • Crypto fraud. Telegram has become a popular platform for people interested in cryptocurrencies and blockchain. Many cybercriminals target Telegram users. They aim to access their cryptocurrency wallets and transfer their bitcoins (BTC), Ethereum, and other coins to themselves.

Attention! Top 11 Latest Telegram App Scams to Watch Out For

These are just a few examples of high-level scams that users can find on Telegram. Unfortunately, scammers are finding new ways to commit fraud and steal personal information from unsuspecting Telegram users. Next, we’ll look at the Telegram scam methods you should be wary of.

Fake Telegram channels and groups

Telegram channels and groups are places where many like-minded people can get together and discuss topics that interest them. However, scammers often create “copycat” versions of popular channels to lure victims with false ones. These channels will look just like the ones they know. They may have similar names and profile images, the same anchored posts, and administrators with usernames identical to legitimate ones. You can also see much activity from “users” – actively chattering about promotions, quick-enrichment schemes, or supposed free prizes promoted by the channel. (Most of these channels target cryptocurrency investors with instant token sales before launching.) However, other users or administrators will soon start contacting the potential victim to get them to click the link or provide personal information, which they can use to steal identities or hack the account.

Attention! Top 11 Latest Telegram App Scams to Watch Out For
Some bands can be as similar to the original as possible.

How to spot the scam

If you have been added (or joined) a new Telegram group, check if you can send messages. If there is no such option, this is a “broadcast-only” channel. This means that only administrators can post messages.

What to do:

  • Report impostors or dangerous channels.
  • Change your privacy settings to prevent everyone from adding you to new groups and channels.

“Crypto Expert” scams

Telegram is probably the most popular messaging platform for people who are into cryptocurrencies and blockchain. But clever scammers have taken advantage of this fact and started posing as crypto experts on Telegram to lure coins, money, or logins from victims. Most of these scams promise a “guaranteed” return on your cryptocurrency investment. Scammers will post replies to comments on Twitter or contact the victim directly on Telegram, claiming they can provide a 50 percent return on investment. If the victim wants to connect, the scammers will ask to open an account at their “special” crypto exchange. They will also show charts and graphs demonstrating that the investment is increasing. However, when the victim tries to get their “earnings,” the scammer will disappear.

A man once sent $50 in bitcoins to exchange and soon made a $30 profit. He then told his friends, whom all invested their savings in the scam. But when his friends sent all the money in, the fake broker disappeared along with all the money.

How to spot the scam:

The FBI estimates that about 25,000 people were victims of cryptocurrency fraud last year and lost nearly $1 billion. Suppose someone promises a “guaranteed” income or claims access to a “special” cryptocurrency exchange. In that case, these are all clear signs of Telegram cryptocurrency investment fraud.

What to do:

  • Ignore anyone who claims a “guaranteed” return on any investment, especially cryptocurrency.
  • Do not invest in “special” cryptocurrency exchanges, as they are often counterfeited.
  • Never send money, cryptocurrency, or account information to someone you have only communicated with on Telegram or other messaging platforms such as Whatsapp.

Phishing with Telegram bots

Since Telegram allows ordinary users to create and use bots on the platform, scammers couldn’t help but take advantage of it. Telegram bots operate natural language processing and AI to engage in realistic conversations, making it difficult to tell if you are being scammed. In one such scam, hackers used the SMSRanger bot to impersonate representatives of banks and companies like Apple Pay, Google Pay, and PayPal. Forums claim that such bots are about 80% effective if the user answers the call. Worse, anyone can access these bots for only $300 a month.

Attention! Top 11 Latest Telegram App Scams to Watch Out For
One of the thousands of bots that supposedly offer earnings

How to spot the scam:

Telegram bot scams show typical signs of phishing:

  • Sense of urgency.
  • Fake or strange phone numbers
  • Grammatical and spelling errors
  • Requests for confidential information

What to do:

Suppose you receive a phone call from somebody claiming to be from your bank, hang up and call the bank back using their official number. Likewise, scammers can spoof or disguise their number to make it look like it’s coming from someone else.

Remember: The company will never contact you via Telegram or any third-party messaging platform.

Tech support scams

Sometimes scammers create accounts that mimic legitimate support agents. They use bots to scan groups and channels for keywords and phrases and then contact victims claiming to be from the company. Along the way, they will start asking the victim for confidential information or demanding that they pay for “premium” support. Such accounts may contain realistic names (e.g., “Coinbase Support Chat”). They may even ask to manage your laptop to “fix” the problem remotely.

How to spot the scam:

If you are dealing with problems with a company or account, always contact them directly through official channels. Be wary of any account that contacts you first and offers support. Likewise, avoid those who charge for “premium” support or make you pay to “upgrade” your account. These are scammers.

What to do:

  • Pay attention to the account’s username to see if it matches its displayed name.
  • Block and report all suspicious accounts to both Telegram and the impersonator company.

Cryptocurrency giveaways

Free prizes, sweepstakes, and raffles are some of the oldest types of scams. In these scams, a bot or user pretends to offer gifts from well-known companies (such as Amazon, Apple, or Venmo ) or cryptocurrency exchanges. However, to receive a prize, you must provide your banking information and personal details and pay a “commission”. Once you give the scammers what they want, they disappear.

Attention! Top 11 Latest Telegram App Scams to Watch Out For
Old as the world, the scheme in which you have to pay a small part to get the prize

How to spot the scam:

Although some companies run raffles and almost all require you to take some initial action, it’s likely that the raffle is a scam if you haven’t participated in any raffles. In such cases, it is best to contact the company directly to see if the drawing is genuine or not.

What to do:

  • Never pay a “commission” to claim a prize, especially if you are asked to pay in cryptocurrency or through payment applications such as Zelle, Venmo, or Cash App.
  • Block any accounts that contact you and claim to be offering a prize.

Fake admin accounts

Each Telegram username is unique. This prevents the scammer from exactly copying a pre-existing username. However, to pull off their dirty business, scammers create usernames that look similarly to the original. Such accounts can also contact the victim to “help” them after they ask a general question. In reality, scammers try to gain access to the account or lure the victim off the platform, where they can scam them with a phishing site.

How to spot the scam:

Pay attention to the account name and misspellings or permutations of letters in the name, especially if the username and display name don’t match. For example, “TichSupport” instead of “TechSupport”, or fake “BitgetToken” instead of “bitgetEN”. In some cases, the username may be hidden. Also, be careful of users who send you private messages rather than posting them publicly in a group. Private messages are a favorite tool of Telegram scammers, as these messages make it difficult to verify whom you’re communicating with.

What to do if you encounter Telegram scammers:

  • Never share personal information or passwords in a direct message.
  • Search the group to find messages from the user who contacted you. If nothing comes up, you’re probably dealing with a scammer.
  • Report fraudulent accounts to both Telegram and the company you asked the question to.

Fake classified ad scams

The “Classiscam” scheme is a Telegram bot scam that lured $6.5 million from victims. Criminals create fake listings for products such as laptops, cameras, and iOS devices on topical sites. The ad will ask the victim to contact Telegram to discuss the deal. However, when the victim sends them a message, there will be a connection to a bot designed to steal personal information.
Alternatively, the Telegram scammers contact directly on Telegram and then send the victim a link to their list. When the victim clicks on it, they will be taken to a page that looks almost identical to a page on Facebook Marketplace, Craigslist, or other sites. To complete the sale, the victim will be asked for personal information, including home address and credit card information.

How to spot the scam:

Look for red flags of scams in online sales, suspiciously low prices, and sellers who refuse to meet in person or ask you to talk to them via Telegram. Look out for odd design details, spelling or grammatical errors, or an “unsecured” URL if you get to a site to make a sale. (A secure URL uses ” HTTPS,” and an unprotected one uses ” HTTP “)

What to do:

  • Always try to review items in person or verify sellers before sending them payments or any information.
  • Use only payment platforms that protect your money, such as PayPal or credit cards. Then, if you’ve been scammed, you’ll have a better chance of getting your lost money back through these payment methods.

“Pump and dump” crypto channels

In this scam, the Telegram channel owners try to manipulate the price of cryptocurrency with a large group of participants. The administrators claim to have “special” knowledge; they are trying to increase the value of an asset they own and then sell it before it collapses. Sometimes administrators charge a fee for VIP membership, which doubly hits their victims.

Attention! Top 11 Latest Telegram App Scams to Watch Out For
Another group that will “make you a billionaire” if you buy a premium subscription.

How to spot the scam:

Many of these fraudulent Telegram channels call themselves “signaling groups,” one common sign of a scam is a sense of urgency. These groups often try to get you to act quickly without thinking and cause you to fear that you might miss out on a great opportunity. Remember the golden rule: If something seems too good to be true, it probably is.

What to do:

  • Don’t be fooled by a sense of urgency. Always do your due diligence before investing.
  • Look up the history of this group. How successful have they been in predicting price increases in the past?

Fake job and offers over Telegram

Job scams are widespread on professional platforms such as LinkedIn; many use Telegram as one of their elements. Fake employers post lists of tempting jobs with high salaries and flexible work schedules. Their only requirement is that the victim adds “Hiring Manager” to Telegram. Once she contacts the manager, they will try to get the victim to provide confidential information or ask for payment for training materials.

How to spot the scam:

Almost all fake job scams follow the same formula. “Employer” will offer too perfect terms and demand that you contact him via Telegram for an interview. These fake scammers will ask for more information (like your SSN), which is also required for a legitimate job application. They may also ask you to pay for the training materials with your own money or a check they send you. Either way, you will never get a refund, or the review will be wrong.

What to do:

Look for signs that the job is a scam. This may include a short interview or no paperwork when the recruiter says you are “hired.”
Do not give recruiters personal or confidential information until you have seen the official contract and met with them in person.

“Friend in need” scams

In this scam, scammers gather enough information about the victim’s friends or family, then approach and ask for financial help. For example, they may tell you that they have been in a car accident and need your use paying medical bills.

How to spot the scam:

Listen to the language they use. Does it sound like your friend? Are they misusing words or constructing sentences awkwardly? Also, could you pay attention to their sense of urgency? For example, would your friend ask you for this favor without context or explanation?

What to do:

  • If you can, call this person by phone or another communication channel, and find out if this is true.
  • If there is no way to call, ask questions that only a natural person would answer, such as details about recent collaborations (and that you didn’t write about online).
  • If you confirm it’s a scammer, immediately block and notify the account owner of account hacking.
  • Let your friends know so they won’t be targeted next time.

Telegram romance scams

Sometimes scammers engage in an online romance with a victim to gain trust. On Telegram, this often focuses on liaisons or sexual content. Many scammers will ask for gifts or money to cover expenses to come to the victim. A Reddit user once described chatting with a woman on Telegram who said she couldn’t meet because she needed to babysit. She requested a Steam gift card to be sent so her kids could be distracted (gift cards are often requested during scams because they are another form of currency that cannot be traced). Otherwise, scammers may ask the victim to send them photos or videos of a sexual nature, which they can then use to blackmail her.

How to spot a scam:

The caller can never meet in person, and he will always have excuses that prevent him from even making a video call. Instead, he will try to make the relationship more intimate as quickly as possible by sending sensitive photos (which are usually stolen from other accounts). However, the most important way to spot a scammer is when he asks for money.

What to do:

  • Never, under any circumstances, send money to people you’ve only met on Telegram, regardless of what they tell you to do.
  • Don’t give out too much personal information at once. Even simple questions about your family or work can be used to hack your accounts or brute force your passwords.

How To Prevent Telegram Scams

  • Be as vigilant as possible of all links, even if your friend sent them.
  • Configure your privacy settings. Once you create your Telegram account, ensure end-to-end encryption is enabled. Include a password or fingerprint ID and add two-step authentication (2FA) for extra security.
Attention! Top 11 Latest Telegram App Scams to Watch Out For
Optimal privacy settings
  • Never share your login credentials. Don’t trust threatening messages purporting to come from Telegram, cryptocurrencies, banks, or any other websites that store your personal information.
  • Update the phone number associated with your account. This will help confirm that your account belongs to you if you lose access.

The post Attention! Top 11 Latest Telegram App Scams to Watch Out For appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/top-11-latest-telegram-scams/feed/ 3 10487
Unlocking the Secrets of Messaging Apps: An In-Depth FBI Study Guide on Accessible Data for Law Enforcement https://gridinsoft.com/blogs/fbi-study-guide-showed-what-data-officers-can-get-from-messengers/ https://gridinsoft.com/blogs/fbi-study-guide-showed-what-data-officers-can-get-from-messengers/#respond Thu, 02 Dec 2021 06:08:00 +0000 https://blog.gridinsoft.com/?p=6430 An FBI study guide has been made publicly available as part of a Freedom of Information law request filed by Property of the People, an American non-profit organization that deals with government transparency. The resulting document contains training tips for agents and explains what kind of data can be obtained from the operators of various… Continue reading Unlocking the Secrets of Messaging Apps: An In-Depth FBI Study Guide on Accessible Data for Law Enforcement

The post Unlocking the Secrets of Messaging Apps: An In-Depth FBI Study Guide on Accessible Data for Law Enforcement appeared first on Gridinsoft Blog.

]]>
An FBI study guide has been made publicly available as part of a Freedom of Information law request filed by Property of the People, an American non-profit organization that deals with government transparency.

The resulting document contains training tips for agents and explains what kind of data can be obtained from the operators of various messengers and what legal permissions will be required for this.

Secure Messaging Apps Data
Secure Messaging Apps Data

The document is dated January 7, 2021, and, in general, does not contain any fundamentally new information, but it gives a good idea of what information the FBI can currently receive from services such as Message, Line, WhatsApp, Signal, Telegram, Threema, Viber, WeChat and Wickr.

It was previously known that the FBI has legal leverage to obtain personal information even from the operators of secure messengers (which usually focus on confidentiality). Forbes reporter Thomas Brewster said on Twitter

In general, the training document confirms that usually the FBI cannot access the encrypted messages themselves, but they can request other types of information that can also be useful in investigations.

Application Legal Permissions and Other Details
Apple iMessage Reading message content is limited.
Summons: Help you find out basic information about a subscriber.
18 USC §2703 (d): Helps to identify requests in iMessage 25 days from the specified date.
Pen Register: Impossible.
Search warrant: helps you get backups from the target device; if the target uses iCloud backups, encryption keys must be provided, and iMessages can also be retrieved from iCloud if the target has activated Messages in iCloud.
Line Reading of message content is limited.
Registration data of the suspect and/or victim (profile picture, name, email address, phone number, LINE ID, registration date, etc.).
Usage Information.
Content of text chats for a maximum of 7 days for specified users (only if end-to-end encryption is not active and not used, and only if a valid warrant is received; however, videos, images, files, location data, voice calls, and other such data will not be disclosed).
Signal The content of messages cannot be read.
Date and time of user registration.
Last date when the user was connected to the service.
Telegram The content of messages cannot be read.
User contact information is not provided to law enforcement to comply with a court order. & nbsp; Telegram may disclose the IP address and number for confirmed terrorist investigations, according to Telegram’s privacy statement phone to the relevant authorities.
Threema The content of messages cannot be read.
A hash of the phone number and email address, if provided by the user.
Push Token, if using a push service.
Public key.  Date (no time) when Threema ID was created.
Date (no time) of last login.
Viber The content of messages cannot be read.
Provided credentials (i.e. phone number), registration data, and IP address at the time of creation.
Message history: time, date, source number, and destination number.
WeChat Content of messages cannot be read.
Subpoenas and requests to save accounts are accepted, but data for accounts created in China is not provided.
For accounts outside of China, provided basic information (name, phone number, email address, IP address) that is retained as long as the account is active.
WhatsApp Reading message content is limited.
Subpoena: Help you get basic subscriber data.
Court order: same as subpoena and information about blocked users.
Search Warrant: This lets you get contacts from the target’s address book and find out which WhatsApp users have the target in their address book.
Pen register: Transmits source and destination metadata for every post every 15 minutes.
If the target is using an iPhone and iCloud backup is enabled, the data from iCloud may contain WhatsApp data, including the content of messages.
Wickr The content of messages cannot be read.
The date and time the account was created.
The type of devices on which the application is installed.
Date of last use.
Number of messages.
The number of external IDs (email addresses and phone numbers) connected to the account, but not the IDs themselves by open test.
Avatar.
Limited information about recent changes to account settings, including adding or stopping devices (does not include message content or routing and delivery information).
Wickr version number.

Let me remind you that I also reported that FBI removed web shells from vulnerable Microsoft Exchange servers without informing owners.

The post Unlocking the Secrets of Messaging Apps: An In-Depth FBI Study Guide on Accessible Data for Law Enforcement appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/fbi-study-guide-showed-what-data-officers-can-get-from-messengers/feed/ 0 6430
Telegram for macOS did not delete self-destructing videos https://gridinsoft.com/blogs/telegram-for-macos-did-not-delete-videos/ https://gridinsoft.com/blogs/telegram-for-macos-did-not-delete-videos/#respond Mon, 15 Feb 2021 16:26:58 +0000 https://blog.gridinsoft.com/?p=5113 Telegram developers have fixed a bug due to which self-destructing audio and video were not removed from devices running macOS. Let me remind you that in the secret chat mode, you cannot forward messages to other users, and it is also possible to configure automatic self-destruction of all messages and multimedia after a certain time.… Continue reading Telegram for macOS did not delete self-destructing videos

The post Telegram for macOS did not delete self-destructing videos appeared first on Gridinsoft Blog.

]]>
Telegram developers have fixed a bug due to which self-destructing audio and video were not removed from devices running macOS.

Let me remind you that in the secret chat mode, you cannot forward messages to other users, and it is also possible to configure automatic self-destruction of all messages and multimedia after a certain time.

Independent information security specialist Dhiraj Mishra discovered that in Telegram version 7.3, self-destructing messages were not completely deleted from the recipient’s device.

While understanding the implementation of various security and privacy measures in telegram, I identified that telegram fails again in terms of handling the users data. Telegram which has 500 million active users suffers from a logical bug exists in telegram for macOS which stores the local copy of received message (audio/video) on a custom path even after those messages are deleted/disappeared from the secret chat.Dhiraj Mishra wrote.

So, the expert noticed that on macOS standard chats escape the sandbox path, where all received video and audio files are stored. Although this path works in secret chats, the received media files are still stored there, even if the messages in the chat itself have already destructed themselves, as they should have.

Bob (the attacker using the tdesktop macOS) and Alice (the victim) have a secret chat, and Alice sends an audio/video message to Bob with a self-destruct timer of 20 seconds. Although the message is removed from the chat after 20 seconds, it is still available through Bob’s custom path, here Telegram cannot prevent privacy for Alice. In general, the function of self-destruction and work without traces does not work.the expert writes.

Additionally, Mishra discovered that Telegram was storing local access codes to unlock the app in plain text format. They were saved in the Users/[username]/Library/GroupContainers/6N38VWS5BX.ru.keepcoder.Telegram/accounts-metadata folder as JSON files.

The researcher discovered both problems at the end of December 2020, and they were fixed with the release of Telegram 7.4. Mishra received a reward of $3,000 for reporting both errors.

Let me remind you that I also reported that a researcher discovered vulnerability in Telegram, which allows to locate user.

The post Telegram for macOS did not delete self-destructing videos appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/telegram-for-macos-did-not-delete-videos/feed/ 0 5113
Researcher discovered vulnerability in Telegram, which allows to locate user https://gridinsoft.com/blogs/researcher-discovered-vulnerability-in-telegram-which-allows-to-locate-user/ https://gridinsoft.com/blogs/researcher-discovered-vulnerability-in-telegram-which-allows-to-locate-user/#respond Thu, 07 Jan 2021 10:20:03 +0000 https://blog.gridinsoft.com/?p=4937 The researcher discovered a vulnerability in Telegram. The fact is that the messenger provides users with the “People Nearby” function, thanks to which it is possible to determine the location of a social network client with an accuracy of several tens of meters. Enthusiast Ahmed Hasan posted a message about the vulnerability found on his… Continue reading Researcher discovered vulnerability in Telegram, which allows to locate user

The post Researcher discovered vulnerability in Telegram, which allows to locate user appeared first on Gridinsoft Blog.

]]>
The researcher discovered a vulnerability in Telegram. The fact is that the messenger provides users with the “People Nearby” function, thanks to which it is possible to determine the location of a social network client with an accuracy of several tens of meters.

Enthusiast Ahmed Hasan posted a message about the vulnerability found on his blog.

Several years ago, he already reported a similar flaw to the Line messenger development team. The creators of the messenger paid Hassan a bonus of $ 1,000 and fixed the problem.

A few days ago, I installed Telegram, and I noticed that they have the same feature. I tried to see if I can unmask other users’ locations, and I found they have the same issue I discovered in the Line app a few years ago. I reported the problem to Telegram security, and they said it’s not an issue. If you enable the feature of making yourself visible on the map, you’re publishing your home address online. Lot of users don’t know this when they enable that feature.wrote Ahmed Hasan.

Although Telegram only shows the distance to a particular user in the list, you can determine its exact location using triangulation.

If you notice, Telegram is telling how far each person is far from me. An adversary can spoof their location for three points and use them to draw three triangulation circles.reports Ahmed Hasan.

To do this, you need to change your location twice, marking each time the distance to the user, and then draw on the map (for example, on Google maps) three circles with a centre in their coordinates and a radius equal to the found distance. The user will be at the intersection of the circles.

Researcher discovered vulnerability in Telegram

Let me remind you, by the way, that Researcher Earned $10,000 by Finding XSS Vulnerability in Google Maps.

At the same time, can be found only those users, who use the “People nearby” function.

Telegram told me that this is not a problem. If you are using this feature, be sure to disable it, unless you want your location to be available to everyone.said Ahmed Hasan.

It should be noted that alternative solutions in other applications for calculating the distance between users include the addition of a random number to the coordinates, which makes impossible determining the real geolocation, but in the case of Telegram, the developers decided to neglect this additional security measure.

The post Researcher discovered vulnerability in Telegram, which allows to locate user appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/researcher-discovered-vulnerability-in-telegram-which-allows-to-locate-user/feed/ 0 4937
New T-RAT malware can be controlled via Telegram https://gridinsoft.com/blogs/new-t-rat-malware-can-be-controlled-via-telegram/ https://gridinsoft.com/blogs/new-t-rat-malware-can-be-controlled-via-telegram/#respond Sat, 24 Oct 2020 09:09:46 +0000 https://blog.gridinsoft.com/?p=4473 G DATA’s specialists have published a report on the new T-RAT malware, which is being distributed for only $45. The main feature of the malware is that T-RAT allows controlling infected systems through the Telegram channel, and not through the web administration panel, as it is usually done. Malware creators claim that this provides faster… Continue reading New T-RAT malware can be controlled via Telegram

The post New T-RAT malware can be controlled via Telegram appeared first on Gridinsoft Blog.

]]>
G DATA’s specialists have published a report on the new T-RAT malware, which is being distributed for only $45. The main feature of the malware is that T-RAT allows controlling infected systems through the Telegram channel, and not through the web administration panel, as it is usually done.

Malware creators claim that this provides faster and easier access to infected computers from anywhere, and allows them to quickly steal data. However, T-RAT can also be controlled by more traditional methods, for example via RDP and VNC.

The T-RAT Telegram channel supports 98 commands that allow retrieving passwords and cookies from the browser, navigate the victim’s file system and search for confidential data, deploy a keylogger, secretly record sound through the device microphone, take screenshots of the victim’s desktop, take snapshots via the web -camera and intercept the contents of the clipboard.say G DATA experts.

In addition, T-RAT owners can use a special mechanism for capturing data from the clipboard, which replaces strings similar to addresses of cryptocurrency and electronic wallets with the addresses of attackers. This allows successfully intercepting Qiwi, WMR, WMZ, WME, WMX, Yandex.Money, Payeer, CC, BTC, BTCG, Ripple, Dogecoin and Tron transactions.

The malware is also capable of working with terminal commands (CMD and PowerShell), blocking the victim’s access to certain sites (for example, antivirus and technical support sites), eliminating specific processes (disabling security and debugging software), and even deactivating the Taskbar and Task Manager.

G DATA experts write that T-RAT is just one of many families of malware that are equipped with the ability to control via Telegram, and this is not the first RAT that operates on such a model. So, similar functionality is possessed by: RATAttack (targeting Windows), HeroRAT (targeting Android), TeleRAT (used mainly against users from Iran, targeting Android), IRRAT (targeting Android), RAT-via-Telegram (available at GitHub, targeting Windows users) and Telegram-RAT (available on GitHub, targeting Windows users).

New T-RAT samples are regularly uploaded to VirusTotal. I assume that it is actively spreading, although I have no direct evidence of this.says company expert Karsten Hahn.

Let me remind fans of classic horror stories about viruses and monsters that Alien malware that steals passwords from 226 Android apps.

The post New T-RAT malware can be controlled via Telegram appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-t-rat-malware-can-be-controlled-via-telegram/feed/ 0 4473
Magecart groupings extract stolen cards data via Telegram https://gridinsoft.com/blogs/magecart-groupings-extract-stolen-cards-data-via-telegram/ https://gridinsoft.com/blogs/magecart-groupings-extract-stolen-cards-data-via-telegram/#respond Fri, 04 Sep 2020 16:12:42 +0000 https://blog.gridinsoft.com/?p=4259 An information security specialist known under the pseudonym Affable Kraut discovered that Magecart web skimmer operators extract stolen cards data through Telegram channels. He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks. Let me remind you that initially the name MageCart was assigned to one hack… Continue reading Magecart groupings extract stolen cards data via Telegram

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.

]]>
An information security specialist known under the pseudonym Affable Kraut discovered that Magecart web skimmer operators extract stolen cards data through Telegram channels.

He concluded this based on information obtained by Sansec, which specializes in combating digital skimming and Magecart attacks.

Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to introduce web skimmers (malicious JavaScript) on the pages of online stores to steal bankcard data.

“Such an approach was so successful that the group soon had numerous imitators, and the name MageCart became a common name, and now it refers to a whole class of such attacks”, – remind history specialists of the information security company RiskIQ.

If in 2018 RiskIQ researchers identified 12 such groups, then by the end of 2019, according to IBM, there were already about 40 of them.

The researcher studied one of these malicious JavaScript and noticed that it collects all data from the input fields filled by victims and sends it to Telegram.

Magecart extract card data

All transmitted information is encrypted using a public key, and having received it, a special Telegram bot sends the stolen data to the chat in the form of ordinary messages.

Magecart extract card data

Affable Kraut notes that this method of data theft, apparently, is very effective, but it has a significant disadvantage: anyone who has a token for a Telegram bot can take control of the process.

Malwarebytes’ leading researcher, Jérôme Segura, was also interested in the script, and after examining it, he said that the author of this web skimmer used a simple Base64 for the bot ID, Telegram channel and API requests. Below you can see the diagram left by Segura and describing the entire attack process.

Magecart extract card data

The researcher notes that data theft occurs only if the current URL in the browser contains one of the keywords indicating that this is an online store, and only when the user confirms the purchase. The payment details will then be sent to both the payment processor and the cybercriminals.

Jerome Segura writes that such a data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Segura writes that such data extraction mechanism is a very practical solution, because it allows attackers not to worry about creating a special infrastructure for these purposes. In addition, it will not be easy to defend against this type of skimmer. Blocking Telegram connections will be only a temporary solution, since then the attackers can start using another legitimate service, which will also mask the “leak” of data.

Let me remind you that scientists have developed an attack that allows not to enter a PIN code while paying with Visa cards.

The post Magecart groupings extract stolen cards data via Telegram appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/magecart-groupings-extract-stolen-cards-data-via-telegram/feed/ 0 4259