Telegram Bots: The New Threat to Your Two-Factor Authentication

by Olivia Morelli - -

Telegram Account Hijacking Campaign: One Click Needed for Quick Password Stealing

Two-factor authentication (2FA) has emerged as a significant enhancement to traditional password-based security. This method frequently involves the use of one-time passwords (OTPs) to verify a user's identity. However, recent research highlights an alarming trend: Telegram bots designed to steal these very OTPs.

Researchers at Intel 471 recently shed light on a surge in the usage of these malicious bots. They've witnessed a growing preference among cybercriminals for 2FA circumvention tools in the digital black market, with Telegram bots fast becoming their weapon of choice. Typically, 2FA measures involve sending OTPs via text or email. These tokens, crucial in multi-layered security protocols, are now at risk.

Cybercriminals have always been innovative. While 2FA is more secure than mere password protection, malicious actors quickly devised ways to intercept OTPs, using tools like malware or employing social engineering tactics[1].

Telegram, a widely-used messaging service, has now become a hub for these illicit activities. Intel 471's findings suggest that Telegram is either being repurposed for crafting and controlling these bots or serving as a platform for cybercriminals to offer 'customer support' for such endeavors. Alarmingly, users of these services often share their illicit gains on these channels, boasting about pilfering vast sums from compromised accounts.

The objective of these bots? To facilitate phishing. They are programmed to auto-call potential victims, imitating credible entities like banks, or send deceptive messages, all to dupe victims into revealing their OTPs. Some are even specialized for sophisticated SIM-swapping or social media phishing attacks.

Telegram Becoming a More Common target for Threat Actors

While the creation of a bot necessitates some elementary programming skills, it's relatively straightforward compared to crafting intricate malware. And to exacerbate the issue, much like traditional botnets, these Telegram-based bots are available for rent. Once a cybercriminal has a victim's phone number, a series of automated attacks can be launched with mere clicks. Two bots, in particular, SMSRanger and BloodOTPbot, have caught researchers' attention.

While SMSRanger mimics the Slack platform and can target platforms like PayPal and Google Play, BloodOTPbot focuses on SMS and can even auto-generate calls pretending to be bank representatives. This highlights a glaring issue: even advanced security measures like 2FA aren't immune to breaches, especially when SMS or call-based OTPs are involved.

Earlier this year, Check Point Research unveiled a Remote Access Trojan (RAT) named ToxicEye. This trojan leverages Telegram for its command-and-control functions, showcasing the platform's potential misuse.

The evolution of cyber threats underscores the need for vigilance and adaptability. While tools like 2FA were devised to bolster security, their vulnerabilities are being mercilessly exploited. Staying informed and employing multi-layered security measures is more critical than ever. As technology evolves, so does cybercrime, reminding us always to remain a step ahead.

Facebook’s One-Click Login Tool: A Concerning Security Practice

In the rapidly evolving digital world, passwords have become a regular stumbling block for many. This leads to the ubiquitous “forgot password?” prompt seen on countless platforms, usually backed by features such as two-factor authentication. Yet, Facebook has taken an unconventional route, a method some say is fraught with potential pitfalls.

Most platforms maintain a hands-off approach, waiting for users to initiate the password recovery process. Facebook, however, has distinguished itself by sending proactive emails to users, suggesting an easier way to regain access. Known as the “One Click” feature, this tool, while not new, remains relatively obscure, often prompting confusion about its legitimacy[2].

Recent concerns about Facebook’s security, particularly in light of a breach where a flaw gave hackers access to millions of accounts, brings renewed scrutiny to such practices. This breach, experts say, could usher in a new wave of phishing attempts. While “One Click” isn't a phishing scam per se, its foundation seems shaky in terms of security—possibly a tactic to bolster Facebook's user engagement metrics.

The Details of One Click Method

Users who have been inactive might receive an email from the seemingly dubious “[email protected]” domain. The email claims that Facebook noticed an unsuccessful login attempt and offers a “Log In With One Click” button. Clicking this button bypasses traditional login steps, immediately granting access to the user's Facebook account. This act itself can be seen as a departure from standard security protocols.

Mark Burnett, a renowned security consultant, criticizes the approach. Facebook's method doesn't guarantee that the email reaches the intended recipient or that their email account remains uncompromised. Moreover, he points out that the validity period for such login links should be minimal. In contrast, Facebook's vague communication leaves users guessing.

Most platforms opt for user-driven password reset processes, requiring an associated email address and quick-expiring reset links. Facebook does offer this conventional method, but “One Click” emerges as a more precarious alternative. Burnett emphasizes the importance of multi-step password resets, involving some level of verification—a far cry from a mere button click.

Burnett further highlights that the “One Click” emails share alarming similarities with phishing scams. “Such emails contradict the security standards we've tried to establish for years,” he states.

Why would Facebook, a tech giant, adopt such a contentious practice?

It's speculated that in the wake of declining user numbers and the #DeleteFacebook movement, the company may be prioritizing user retention, even if it involves dubious methods. Anecdotes further cement these suspicions. For instance, a user named Rishi Gorantala recounted receiving a “One Click” email without initiating any login attempts. This led him to believe that the content was manipulative, attempting to draw him back under the guise of a security concern.

Similarly, writer Danny Heifetz expressed bewilderment at Facebook’s methods. After forgetting his password and choosing to take a break from the platform, he received a series of emails culminating in the “One Click” offer. It seemed to him as if Facebook was dismissing the very concept of password protection.

Emmanuel Schalit, CEO of Dashlane—a password management system—notes that Facebook's method, which centralizes users' credentials, is inherently risky. A single breach compromises countless accounts. In contrast, Dashlane's decentralized approach ensures more robust security, even if it's less convenient.

Schalit underscores that the choice of security tools reflects a company's priorities. While Dashlane's model may result in lost users due to forgotten passwords, it prioritizes user trust over re-engagement.

Facebook's “One Click” tool raises numerous red flags, especially given the platform's recent security breaches. Schalit succinctly captures the sentiment: “Their intentions might not be malicious, but their methodology, especially in the current climate, is certainly questionable.”

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor and all things cybersecurity writer at The topics she covers include computer protection, the latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions