Mar 28, 2024NewsroomTechnology / Data Privacy

In June 2017, a study of more than 3,000 Massachusetts Institute of Technology (MIT) students published by the National Bureau for Economic Research (NBER) found that 98% of them were willing to give away their friends’ email addresses in exchange for free pizza.

“Whereas people say they care about privacy, they are willing to relinquish private data quite easily when incentivized to do so,” the research said, pointing out a what’s called the privacy paradox.

Now, nearly seven years later, Telegram has introduced a new feature that gives some users a free premium membership in exchange for allowing the popular messaging app to use their phone numbers as a relay for sending one-time passwords (OTPs) to other users who are attempting to sign in to the platform.

The feature, called Peer-to-Peer Login (P2PL), is currently being tested in selected countries for Android users of Telegram. It was first spotted by tginfo in February 2024 (via @AssembleDebug).

According to Telegram’s Terms of Service, the phone number will be used to send no more than 150 OTP SMS messages – including international SMS – per month, incurring charges from the user’s mobile carrier or service provider.

That said, the popular messaging app notes that it “cannot prevent the OTP recipient from seeing your phone number upon receiving your SMS” and that it “will not be liable for any inconvenience, harassment or harm resulting from unwanted, unauthorized or illegal actions undertaken by users who became aware of your phone number through P2PL.”

Even worse, the mechanism – which largely relies on a honor system – doesn’t prohibit users from contacting strangers to whose number the OTP authentication SMS was sent, and vice versa, potentially leading to an increase in spam calls and texts.

Telegram said it reserves the right to unilaterally terminate an account from the P2PL program if participants are found sharing personal information about recipients. It also warns users not to contact any OTP recipients or reply to them even if they message them.

As of March 2024, Telegram has more than 900 million monthly active users. It launched the Premium subscription program in June 2022, allowing users to unlock additional features like 4 GB file uploads, faster downloads, and exclusive stickers and reactions.

With online services still relying on phone numbers to authenticate users, it’s worth keeping in mind the privacy and security risks that could arise from partaking in the experiment.

Meta in Legal Crosshairs for Intercepting Snapchat Traffic

The development comes as newly unsealed court documents in the U.S. alleged that Meta launched a secret project called Ghostbusters to intercept and decrypt the network traffic from people using Snapchat, YouTube and Amazon to help it understand user behavior and better compete with its rivals.

This was accomplished by leveraging custom apps from a VPN service called Onavo, which Facebook acquired in 2013 and shut down in 2019 after it came under scrutiny for using its products to track users’ web activity related to its competitors and secretly paying teens to capture their internet browsing patterns.

The data-interception scheme has been described as a “man-in-the-middle” approach, in which Facebook essentially paid people between ages 13 and 35 up to $20 per month plus referral fees for installing a market research app and giving it elevated access to inspect network traffic and analyze their internet usage.

The tactic relied on creating “fake digital certificates to impersonate trusted Snapchat, YouTube, and Amazon analytics servers to redirect and decrypt secure traffic from those apps for Facebook’s strategic analysis.”

The apps were distributed through beta testing services, such as Applause, BetaBound, and uTest, to conceal Facebook’s involvement. The program, which later became known as the In-App Action Panel (IAAP), ran from 2016 to 2018.

Meta, in its response, said there is no crime or fraud, and that “Snapchat’s own witness on advertising confirmed that Snap cannot ‘identify a single ad sale that [it] lost from Meta’s use of user research products,’ does not know whether other competitors collected similar information, and does not know whether any of Meta’s research provided Meta with a competitive advantage.”

Jan 31, 2024NewsroomCyber Crime / Hacking News

Cybersecurity researchers are calling attention to the “democratization” of the phishing ecosystem owing to the emergence of Telegram as an epicenter for cybercrime, enabling threat actors to mount a mass attack for as little as $230.

“This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data,” Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a new report.

“Free samples, tutorials, kits, even hackers-for-hire — everything needed to construct a complete end-to-end malicious campaign.”

This is not the first time the popular messaging platform has come under the radar for facilitating malicious activities, which are in part driven by its lenient moderation efforts.

As a result, what used to be available only on invite-only forums in the dark web is now readily accessible via public channels and groups, thereby opening the doors of cybercrime to aspiring and inexperienced cyber criminals.

In April 2023, Kaspersky revealed how phishers create Telegram channels to educate newbies about phishing as well as advertise bots that can automate the process of creating phishing pages for harvesting sensitive information such as login credentials.

One such malicious Telegram bot is Telekopye (aka Classiscam), which can craft fraudulent web pages, emails, SMS messages to help threat actors pull off large-scale phishing scams.

Guardio said the building blocks to construct a phishing campaign can be readily purchased off Telegram – “some offered at very low prices, and some even for free” – thereby making it possible to set up scam pages via a phishing kit, host the page on a compromised WordPress website via a web shell, and leverage a backdoor mailer to send the email messages.

Backdoor mailers, marketed on various Telegram groups, are PHP scripts injected into already infected-but-legitimate websites to send convincing emails using the legitimate domain of the exploited website to bypass spam filters.

“This situation highlights a dual responsibility for site owners,” the researchers said. “They must safeguard not only their business interests but also protect against their platforms being used by scammers for hosting phishing operations, sending deceptive emails, and conducting other illicit activities, all unbeknownst to them.”

To further increase the likelihood of success of such campaigns, digital marketplaces on Telegram also provide what’s known as “letters,” which are “expertly designed, branded templates” that make the email messages appear as authentic as possible to trick the victims into clicking on the bogus link pointing to the scam page.

Telegram is also host to bulk datasets containing valid and relevant email addresses and phone numbers to target. Referred to as “leads,” they are sometimes “enriched” with personal information such as names and physical addresses to maximize the impact.

“These leads can be incredibly specific, tailored for any region, niche, demographic, specific company customers, and more,” the researchers said. “Every piece of personal information adds to the effectiveness and credibility of these attacks.”

The way these lead lists are prepared can vary from seller to seller. They can be procured either from cybercrime forums that sell data stolen from breached companies or through sketchy websites that urge visitors to complete a fake survey in order to win prizes.

Another crucial component of these phishing campaigns is a means to monetize the collected stolen credentials by selling them to other criminal groups in the form of “logs,” netting the threat actors a 10-fold return on their investment based on the number of victims who end up providing valid details on the scam page.

“Social media account credentials are sold for as little as a dollar, while banking accounts and credit cards could be sold for hundreds of dollars — depending on their validity and funds,” the researchers said.

“Unfortunately, with just a small investment, anyone can start a significant phishing operation, regardless of prior knowledge or connections in the criminal underworld.”