Infoblox Threat Intel<p>Telegram users BOLO for suspicious links posing as terms of service violation notices!<br> <br>We've observed over 4,000 domains in the past week attempting to trick users into granting web access to their accounts.<br> <br>How it works:<br>- Presents itself in either Chinese, English, Japanese, Korean, Spanish, Vietnamese, German, Dutch or Thai depending on your browser language<br>- Prompts you to enter your phone number and triggers sending a legit login code to your phone using a modified version of the Telegram WebK<br>- Entering the login code allows the threat actor to authenticate to your account under the guise of a 'Telegram Security Check'<br>- These domains are propagated within Telegram itself, with victims unwittingly sending links to their contacts.<br> <br>Domain indicators:<br>- Uses niche-oriented and commonly abused TLDs like '.auction', '.beer' and '.boutique' instead of traditional TLDs*<br>- Domains are registered through Dynadot or West[.]cn and protected by Cloudflare<br>- Mix of random RDGA-like domains, along with homoglyph and jumbled versions of 'Telegram'<br> <br>Examples:<br>- `telegrom[.]tax`<br>- `telegreet[.]bar`<br>- `qwvlftokhc[.]club`<br> <br>The motive remains unclear but likely involves collecting sensitive data for later exploitation.<br> <br>* Big thanks to XYZ.COM LLC for their prompt response to our takedown request, some 4k domains using TLDs under their control have been suspended.<br> <br> <br> <br><a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/telegram" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>telegram</span></a> <a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/infobloxthreatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infobloxthreatintel</span></a></p>