At the end of 2019, several Russian entrepreneurs contacted the Group-IB Cybercrime Investigation Department, who faced the problem of unauthorized access by unknown persons to their correspondence in the Telegram messenger. The incidents occurred on iOS and Android devices, regardless of which federal mobile operator the victim was a client of.
The attack began with the fact that the user received a message from the Telegram service channel (this is the official channel of the messenger with a blue verification checkmark) in the Telegram messenger with a confirmation code that the user did not request. After that, an SMS with an activation code fell on the victimβs smartphone, and almost immediately a notification came to the Telegram service channel that the account had been logged in from a new device.
In all cases known to Group-IB, the attackers logged into someone else's account via the mobile Internet (probably using disposable SIM cards), and in most cases the attackers' IP address was in Samara.
Access on request
A study by the Group-IB Computer Forensics Laboratory, where the electronic devices of the victims were transferred, showed that the equipment was not infected with spyware or a banking Trojan, accounts were not hacked, and no SIM card was replaced. In all cases, the attackers gained access to the victim's messenger using SMS codes received when logging into the account from a new device.
This procedure is as follows: when activating the messenger on a new device, Telegram sends a code through the service channel to all user devices, and then (on request) an SMS message is sent to the phone. Knowing this, the attackers themselves initiate a request for the messenger to send an SMS with an activation code, intercept this SMS and use the received code for successful authorization in the messenger.
Thus, attackers get illegal access to all current chats, except for secret ones, as well as to the history of correspondence in these chats, including files and photos that were sent to them. Having discovered this, a legitimate Telegram user can forcibly end the attacker's session. Thanks to the implemented protection mechanism, the reverse cannot happen, an attacker cannot terminate older sessions of a real user within 24 hours. Therefore, it is important to detect an extraneous session in time and end it so as not to lose access to your account. Group-IB specialists sent a notification to the Telegram team about their investigation of the situation.
The investigation of the incidents is ongoing, and at the moment it is not exactly established which scheme was used to bypass the CMC factor. At various times, researchers have given examples of SMS interception using attacks on the SS7 or Diameter protocols used in mobile networks. Theoretically, such attacks can be implemented with the illegal use of special technical means or insiders in mobile operators. In particular, there are fresh announcements on hacker forums on the Darknet with offers to hack various instant messengers, including Telegram.
βSpecialists in different countries, including Russia, have repeatedly stated that social networks, mobile banking and instant messengers can be hacked using a vulnerability in the SS7 protocol, but these were isolated cases of targeted attacks or experimental studies,β comments Sergey Lupanin , Head of the Group-IB Cybercrime Investigation Department, - In a series of new incidents, of which there are already more than 10, it is obvious that the attackers want to put this way of making money on stream. In order to prevent this from happening, it is necessary to increase your own level of digital hygiene: at least use two-factor authentication wherever possible, and add a mandatory second factor to SMS, which is functionally embedded in the same Telegram.β
How to protect yourself?
1. Telegram has already implemented all the necessary cybersecurity options that will reduce the efforts of attackers to nothing.
2. On iOS and Android devices for Telegram, you need to go to Telegram settings, select the "Privacy" tab and assign "Cloud passwordTwo step verification" or "Two step verification". A detailed description of how to enable this option is given in the instructions on the official website of the messenger: (https://telegram.org/blog/sessions-and-2-step-verification)
3. It is important not to set an e-mail address to recover this password, since, as a rule, e-mail password recovery also occurs via SMS. Similarly, you can increase the protection of your WhatsApp account.
Source: habr.com