Another day, another scam on Telegram. Researchers have found an attachment posing as a purchase order in PDF form that’s actually a credential-harvesting web page quietly sending passwords and other sensitive data straight to a Telegram bot controlled by an attacker.

The risk is very real, researchers from Malwarebytes Labs say. That’s because every day, many professionals receive a steady flow of invoices, approvals, and, yes, purchase orders. Therefore, an email with a malicious attachment – it’s New PO 500PCS.pdf.hTM – may look very normal.

But it’s not. The double file extension is a pretty obvious giveaway, of course.

“Attachments with extensions like .pdf.htm are classic phishing tactics. These files are usually disguised as documents (PDF), but they’re actually HTML files that open in a browser and can contain malicious scripts or phishing forms,” Malwarebytes Labs said in a blog post.

What happens when you open the attachment? You’re shown a password prompt in front of a blurred background while in the background, the phishing script is grabbing some environment details – IP, geolocation, and user agent – and sending them to the attacker along with any details you filled out.

Then, after a short “Verifying…” message, you’re informed that “your account or password is incorrect” and prompted to try again.

According to Malwarebytes Labs, this is a psychological trick. Firstly, it’s believable, as typos indeed happen. Besides, it encourages a second password attempt, perhaps to try to harvest another, different password.

When you type your password again and click Next, and this one appears to be accepted, you don’t see a real document: you’re redirected to a blurry image that looks like an invoice hosted on ibb[.]co.

“That’s a shortened domain for ImgBB, a legitimate image-hosting and sharing service. That unexpected image may confuse you just enough to stop you from immediately changing your credentials or immediately alerting your IT department,” say the researchers.

Rather than emailing stolen credentials or logging in to a server that might be blocked by security software, the page sends them via a Telegram bot.

The attacker receives the email and password combination, IP, and geolocation, and browser and operating system details.

Telegram is a widely used – even though falsely thought of as an encrypted – platform. It’s often not blocked by organizations, which makes it a popular command and control channel for phishers.

In fact, multiple recent cyberattacks have relied on Telegram infrastructure as a central tool for tracking victims, controlling malware, and moving stolen data, prompting security researchers to recommend blocking Telegram traffic where it isn’t essential.

Admittedly, this phishing attempt may look a little unprofessional, but each victim who sends actual login details to the phisher is a win at a near-zero investment, Malwarebytes Labs says.

“For the target, it can turn into a nightmare ranging from having to change passwords to a compromised Acrobat or other account, which can then be used and sold for more serious attacks,” say the researchers.

“The next time a ‘PDF’ asks for your password in a browser, pause to think about what might be hiding under the hood.”

---

Unlock more exclusive Cybernews content on YouTube.