回到Silas S. Brown(赛乐思)的网站首页

The Telegram Borrowers

WARNING: What I did involves chatting with a criminal organisation. Do not try this at home. I helped fix a security flaw in the Linux kernel and I know some of the best security engineers in the world. If you're not at that level, do not attempt.
警告: 这个小调查包括与犯罪组织人员聊天。劝大家别自己这样做。 我以前帮了Linux核心开发者找和修个安全漏洞,也认识世界最高保安工程师的一些。如果你没有那样水平,并不尝试我所做的。

In August 2023 two of my Chinese friends whom I'd introduced to Telegram Messenger had their accounts temporarily compromised by an organised social-engineering attack. I don't know if this crime gang has a name, so with a nod to Mary Norton I'm calling them The Telegram Borrowers.

The gang's "phishing" entry point is a third-party Telegram "bot" which pretends to be an official function of Telegram. If someone doesn't know what Telegram "bots" are, it does indeed look official, and Telegram would do well to make it more obvious to non-technical users that they are interacting with a third party.

The scamming bot pretends to be an equivalent of Chinese WeChat's "vouch for a friend" function. A message from your friend's account tells you they are in some kind of trouble (which is true: their account has been compromised), and that you can vouch for them using the "official bot" (which is false). Crucially, the message will seem genuine, because it has been written by a human professional scammer who has full access to your friend's Telegram chat history and can see how they normally write to you. If you open their link, the bot will take you through the steps required to give them access to your own Telegram account as well, under the pretense of vouching for your friend.
骗局机器帐户假装做微信‘保证朋友’功能的Telegram相等。来自你朋友帐户的信声称朋友有某些问题(其实他们真的有问题: 他们的帐户被泄漏了),而您可以使用“官方功能”(假)解救你的朋友。关键的问题是这个信看起来是真的,因为不是“人工智能”写的,是来自真正的职业骗徒而那个网诈会看你朋友的所有Telegram聊天记录,所以会框出那位朋友与你往往怎样谈话。如果你真的打开那位骗局所发给你的连接,他们的机器帐户会以帮助朋友为虚假而逐渐地指导你如何容许团队也进去你自己的Telegram帐户。

Part of the gang's operational security appears to call for the chat that contains the bot link to be remotely deleted if the mark does not comply, or immediately after they do comply. This makes it harder to report the bot to Telegram. The gang will of course be able to set up a new bot, but that does inconvenience them, so they try to avoid letting you keep the bot address long enough to report it.
此帮派的行动安全看来包括这个规则: 如果受害者不马上打开连接,或者打开后,就删除双方的聊天,以免受害者报告此连接。犯罪组织当然能创造新的连接,但看来这有点不方便所以他们试试避免经常得这样做。

But that didn't stop me from opening a new chat to my would-be scammer and chit-chatting about how their business is going. I showed off my credentials a bit so they knew why I wouldn't be scammed, but I can still be a 'nice guy' and who doesn't sometimes need to take time out for a chat?

This operative claimed they had compromised 73,000 accounts and were currently doing 50 a day (which would mean they've been going for 4 years). The intention was not to make long-term use of the compromised accounts themselves, but to scan their chat history for financial information, which they said had so far enabled them to raid bank accounts to the tune of 1.97 million dollars and they were aiming for 3 million.


They were using a VPN with an exit node in AsiaNet HK's infrastructure, and the "Nicegram" fork of the Telegram client, version 1.3.2 (the June release), on a slightly nicer iPhone than my friend's. They were using the Nicegram fork because it lets you log into an unlimited number of Telegram accounts at the same time.


One of my friends kept trying to get back into his account, so they put a 2-factor authentication on it with their own GMail account as the recovery backup. He later got his account deleted, but only after the Borrowers had already finished with it anyway: both accounts were logged out 5 days after they'd been entered.
一个朋友不断尝试再次登入他的帐户所以他们加个双因子认证密码而用自己的gmail做恢复电邮地址。他之后删除他的Telegram帐户,但那时候《地板下小矮人》已经结束了: 我两朋友的帐户都5天后被登出了。

All material © Silas S. Brown unless otherwise stated.