Back to Home

Telegram Phishing: Analysis of the Scheme with Polls

The article dissects a phishing scheme in Telegram masquerading as a contest poll. Describes the redirect chain, the role of JavaScript and IOC for blocking. Protection measures for developers are provided.

How Phishing Works in Telegram via Polls
Advertisement 728x90

# Phishing Attack in Telegram via Fake Voting: Technical Breakdown

Phishing campaigns in Telegram often masquerade as online voting for contest participants, such as children's drawings. The user receives a message urging them to support a participant along with a link to a website. Example: transition to a contest-styled page prompting to click the "Proceed to Voting" button.

This page mimics a legitimate process: selecting a participant from a list, followed by a redirect to an intermediate URL. The final stage is a phishing Telegram authorization form requiring entry of a phone number or scanning a QR code.

The form visually replicates Telegram's interface, including input fields and buttons. After data entry, credentials are intercepted, enabling attackers to hijack the account and use it for further distribution.

Google AdInline article slot

Technical Phishing Chain

The attack is built on a sequence of redirects and scripts:

  • Initiation: The link leads to the main contest page (e.g., /rus-deti/5).
  • Engagement: Selecting a participant triggers an intermediate redirect (e.g., /rus-deti/c0zoJML).
  • Phishing Form: A fake authorization page opens (parameterized URL with tokens, e.g., /rus-deti/H3uwg4h?swfix=3).

A JavaScript script (long hash in the URL, e.g., /f68c4324c5414ef0876c4ad5c5ca6345202ae0dcf9dee56332daaa6e9e3e5a1e/H3uwg4h/3b9vlz7pze51.js) dynamically handles input:

  • Processes keyboard and click events.
  • Masks the form as a live interface.
  • Sends data to backend endpoints.

Victim data is transmitted to subdomains:

Google AdInline article slot
  • venus.risunki-sveta.space/apiw1
  • kws2.risunki-sveta.space/apiws

This enables collection of phone numbers, confirmation codes, and session tokens.

Indicators of Compromise (IOC)

For detection and blocking, use the following indicators:

  • Server IP Addresses:

- 94.26.35.117

Google AdInline article slot

- 94.26.35.116

- 85.206.164.29

  • Suspicious Domains:

- risunki-sveta.space

- machine.sparkart-sun.shop

These IOCs allow configuring rules in WAF, DNS filters, or EDR systems. Monitoring traffic to these addresses will reveal access attempts.

Protection Methods for Developers and Administrators

  • Verify URLs before clicking: the domain doesn't match web.telegram.org or t.me.
  • Enable two-factor authentication (2FA) in Telegram.
  • Configure client-side scripts to block known phishing domains.

In a corporate environment:

  • Implement URL filtering in proxies (e.g., via Squid or Zscaler).
  • Monitor logs for redirects with hash parameters.
  • Train users to recognize phishing through UI inconsistencies (fonts, spacing).

For automation: integrate IOCs into SIEM systems (ELK Stack, Splunk) using YARA or Sigma rules.

Key Takeaways

  • The attack relies on social engineering: trust in Telegram and the emotional hook of "help the child".
  • JavaScript makes the form interactive, lowering suspicion; check Network requests in DevTools.
  • Account hijacking triggers a chain reaction: distribution from the victim's name.
  • Basic hygiene (domain checks) prevents 90% of cases.
  • IOCs are current for immediate blocking; keep blocklists updated.

— Editorial Team

Advertisement 728x90

Read Next