# Phishing Attack in Telegram via Fake Voting: Technical Breakdown
Phishing campaigns in Telegram often masquerade as online voting for contest participants, such as children's drawings. The user receives a message urging them to support a participant along with a link to a website. Example: transition to a contest-styled page prompting to click the "Proceed to Voting" button.
This page mimics a legitimate process: selecting a participant from a list, followed by a redirect to an intermediate URL. The final stage is a phishing Telegram authorization form requiring entry of a phone number or scanning a QR code.
The form visually replicates Telegram's interface, including input fields and buttons. After data entry, credentials are intercepted, enabling attackers to hijack the account and use it for further distribution.
Technical Phishing Chain
The attack is built on a sequence of redirects and scripts:
- Initiation: The link leads to the main contest page (e.g.,
/rus-deti/5). - Engagement: Selecting a participant triggers an intermediate redirect (e.g.,
/rus-deti/c0zoJML). - Phishing Form: A fake authorization page opens (parameterized URL with tokens, e.g.,
/rus-deti/H3uwg4h?swfix=3).
A JavaScript script (long hash in the URL, e.g., /f68c4324c5414ef0876c4ad5c5ca6345202ae0dcf9dee56332daaa6e9e3e5a1e/H3uwg4h/3b9vlz7pze51.js) dynamically handles input:
- Processes keyboard and click events.
- Masks the form as a live interface.
- Sends data to backend endpoints.
Victim data is transmitted to subdomains:
venus.risunki-sveta.space/apiw1kws2.risunki-sveta.space/apiws
This enables collection of phone numbers, confirmation codes, and session tokens.
Indicators of Compromise (IOC)
For detection and blocking, use the following indicators:
- Server IP Addresses:
- 94.26.35.117
- 94.26.35.116
- 85.206.164.29
- Suspicious Domains:
- risunki-sveta.space
- machine.sparkart-sun.shop
These IOCs allow configuring rules in WAF, DNS filters, or EDR systems. Monitoring traffic to these addresses will reveal access attempts.
Protection Methods for Developers and Administrators
- Verify URLs before clicking: the domain doesn't match web.telegram.org or t.me.
- Enable two-factor authentication (2FA) in Telegram.
- Configure client-side scripts to block known phishing domains.
In a corporate environment:
- Implement URL filtering in proxies (e.g., via Squid or Zscaler).
- Monitor logs for redirects with hash parameters.
- Train users to recognize phishing through UI inconsistencies (fonts, spacing).
For automation: integrate IOCs into SIEM systems (ELK Stack, Splunk) using YARA or Sigma rules.
Key Takeaways
- The attack relies on social engineering: trust in Telegram and the emotional hook of "help the child".
- JavaScript makes the form interactive, lowering suspicion; check Network requests in DevTools.
- Account hijacking triggers a chain reaction: distribution from the victim's name.
- Basic hygiene (domain checks) prevents 90% of cases.
- IOCs are current for immediate blocking; keep blocklists updated.
— Editorial Team
No comments yet.