© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Telegram ‘hosting crooks who spoof Microsoft’


A free webpage and communications service operated by Telegram has become a haven for cybercriminals and other undesirables, with more than a thousand phishing campaigns detected this year alone, according to research by INKY. Worse still, many of them are impersonating popular brands such as Microsoft to lure the unwary.

Telegraph – a subsidiary of Telegram – has featured more than 1,200 emails connected to cryptocurrency and social engineering scams, credential harvesting and extortion so far this year, said the cybersecurity analyst. And it doesn’t look as though parent company Telegram will take action to halt the practice.

“Telegram was founded by two Russian brothers who are more or less living on the lam [as fugitives from the law], supposedly in the Caribbean,” alleged INKY. “Pavel Durov, the more public-facing brother, recently acquired French citizenship. The company is registered in the British Virgin Islands and has its operations center in Dubai. For a phisher, what’s not to love?”

Because Telegram allows users to publish anonymously, and immediately delete messages and posts afterwards, it has become a haven for cybercriminals, white supremacists, child pornographers, and terrorists, said INKY, citing external sources. It is also claiming that subsidiary Telegraph’s free website setup feature has led to the platform becoming a popular alternative to the dark web.

“Telegraph lets anyone set up a webpage,” it said. “Controls are simple, and options are limited. All the enterprising publisher has to do to create a page is go to https://telegra.ph/, add text, images, and links, and then hit the ‘publish’ button. That’s all phishers need.”

And it would appear that phishers have indeed been casting many a line on Telegraph. A common practice has been to send bogus emails impersonating Microsoft containing malicious links, which then lead the victim straight to a credential harvesting site. Cybercriminals use these details either to directly extort someone, or sell the sensitive data on to other threat actors who will then use it in their own scams.

Faked login page

Other methods employed on Telegraph include extorting the victim through a social engineering attack designed to play on their fears. “Using your password, our team got access to your email,” reads one message intercepted by INKY. “We downloaded all data [...] and used it to get access to your backup files.”

The message then threatens to share all sensitive data with friends, family and work colleagues unless $1,700 is paid within two days to a specified cryptocurrency account – and Telegraph obligingly hosts the site facilitating these illicit payments.

Bitcoin account used by hackers on Telegraph

“As of publication, the bitcoin address associated with this scam had received several transactions, totaling $2,578,” said INKY. “A recipient should never reply or act on any email in which the sender threatens to release embarrassing or personal information unless they are paid in cryptocurrency.”

It added: “Email recipients should always be suspicious of any message that asks them to log in with credentials to view a document. Legitimate organizations rarely use this type of authentication. Another bright red flag should go up if a sender asks a recipient to use Microsoft credentials to view, say, a DocuSign document.”

INKY also advises users receiving an unexpected email from a known entity such as a bank or government department to confirm its legitimacy by contacting the institution directly via a different communication platform.


More from Cybernews:

Why are governments investing in Telegram?

Watch out: there's a new Telegram scam about

Cybercriminals are using encrypted chat apps as illegal marketplaces

Here's why you should leave WhatsApp for Signal, not Telegram

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked