What happened
Researchers at Cyfirma have uncovered a phishing campaign targeting Telegram users that abuses authentication workflows to capture login credentials and session tokens. According to the report, the attack begins with unsolicited messages sent through Telegram containing a link that purports to lead to a voice message or other legitimate content. When clicked, recipients are redirected to a fraudulent webpage designed to mimic Telegram’s login interface. The fake interface requests the user’s phone number and verification code, which the attacker then uses to authenticate to the real Telegram service and take control of the account. This workflow abuse allows the attackers to intercept valid session tokens and, in some cases, maintain persistent access without immediately alerting the victim. Cyfirma noted that the phishing pages were crafted to closely resemble the legitimate Telegram authentication experience, increasing the likelihood of user interaction with the malicious content.
Who is affected
Telegram users who receive and interact with the phishing messages are affected, as entering authentication credentials and verification codes on the fraudulent pages can result in unauthorized account access and session takeover.
Why CISOs should care
Phishing campaigns that exploit authentication workflows on trusted platforms like Telegram underscore ongoing risk to identity and communication security, especially when attackers can harvest session tokens and bypass typical alerting mechanisms.
3 practical actions
- Audit authentication process anomalies. Monitor for unusual login patterns such as verification codes used from unfamiliar IPs.
- Strengthen user awareness training. Educate stakeholders to distrust unsolicited links claiming to lead to authentic messaging content.
- Track phishing infrastructure. Block known domains and URLs associated with the Telegram phishing pages identified by Cyfirma.