A sophisticated Telegram phishing campaign has re-emerged, marking a significant evolution in how threat actors compromise user accounts. <\/p>\n
Unlike traditional credential harvesting, this operation does not rely on cloning login pages to steal passwords but instead manipulates the platform\u2019s legitimate authentication infrastructure. <\/p>\n
By integrating directly with Telegram\u2019s official login workflows, the attackers can bypass standard security filters and obtain fully authorized user sessions without raising immediate alarms.<\/p>\n
The attack vectors are designed to minimize user suspicion by mimicking routine security checks and verification procedures. <\/p>\n
Victims are presented with fraudulent login interfaces that support both QR-code scanning<\/a> and manual phone number entry.<\/p>\n These interfaces are hosted on ephemeral domains that closely resemble legitimate Telegram branding. <\/p>\n When a user interacts with these elements, they are not sending data to a hacker\u2019s database but are inadvertently triggering a real login request initiated by the attacker\u2019s device.<\/p>\n Cyfirma analysts identified this malware<\/a> after observing its unique ability to frame authorization prompts as security verifications.<\/p>\n The researchers noted that this method significantly increases victim compliance while reducing detectable anomalies. <\/p>\n Once the user approves the request on their mobile device, believing they are verifying their identity, the attackers gain immediate, persistent access to the account. <\/p>\n This allows them to monitor communications and launch secondary attacks against the victim\u2019s contacts without alerting the user through typical suspicious login warnings or requiring exploit-based access.<\/p>\n The technical sophistication of this campaign is evident in its use of dynamic backend configurations to evade detection. <\/p>\n Rather than hardcoding phishing logic into the frontend HTML, the site retrieves runtime instructions from a centralized server via cross-origin API requests. <\/p>\n This JSON response delivers attacker-controlled Telegram API credentials<\/a>, such as the\u00a0 This configuration-driven design allows the operators to rapidly rotate domains while maintaining consistent authentication logic across globally distributed targets. <\/p>\n The phishing pages also display misleading system messages, instructing users to click \u201cYes\u201d on the in-app notification to \u201cverify\u201d their account. <\/p>\n By shifting the decisive action to the trusted Telegram app interface, the campaign successfully masks the malicious nature of the session binding process.<\/p>\n To mitigate these risks, users must exercise extreme caution with in-app authorization prompts. <\/p>\n Never approve a login request unless you personally initiated it, even if the prompt claims to be a security check or unusual activity review. <\/p>\n It is essential to avoid scanning QR codes from unfamiliar websites and to regularly audit active sessions within Telegram\u2019s \u201cDevices\u201d settings. <\/p>\n Finally, enabling Two-Step Verification<\/a> adds a critical layer of defense, preventing unauthorized session creation by requiring a secondary password even if a user is tricked into approving the initial prompt.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Telegram Phishing Attack Abuses Authentication Workflows to Obtain Full Authorized User Sessions<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nDynamic Infrastructure and API Abuse<\/strong><\/h2>\n
api_id<\/code>\u00a0and\u00a0api_hash<\/code>, along with localized language data to render the login interface.<\/p>\n![\"In-app](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgYbODq9lSrVUxpd-a1Cx6cLMxT6wErjz10suz-4GdrPQ-wjeiXxCKdqsrmcqxPeeuTbnnnF_LjiyyAAqEEeXZtUxIA6-UNtIeikHHvfWWkVLMS-E-XOeRSEwO19oE6ANLNBv2kEnokaL1wcy8F6lrxREDqaO8A68Sak0PMoxqKTDIxQ6BMekfxWXS7PvQ\/s16000\/In-app%2520authorization%2520prompt%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")