回到Silas S. Brown（赛乐思）的网站首页
The Telegram Borrowers
WARNING: What I did involves chatting with a criminal organisation. Do not try this at home. I helped fix a security flaw in the Linux kernel and I know some of the best security engineers in the world. If you're not at that level, do not attempt.
警告: 这个小调查包括与犯罪组织人员聊天。劝大家别自己这样做。 我以前帮了Linux核心开发者找和修个安全漏洞，也认识世界最高保安工程师的一些。如果你没有那样水平，并不尝试我所做的。
In August 2023 two of my Chinese friends whom I'd introduced to Telegram Messenger had their accounts temporarily compromised by an organised social-engineering attack. I don't know if this crime gang has a name, so with a nod to Mary Norton I'm calling them The Telegram Borrowers.
The gang's "phishing" entry point is a third-party Telegram "bot" which pretends to be an official function of Telegram. If someone doesn't know what Telegram "bots" are, it does indeed look official, and Telegram would do well to make it more obvious to non-technical users that they are interacting with a third party.
The scamming bot pretends to be an equivalent of Chinese WeChat's "vouch for a friend" function. A message from your friend's account tells you they are in some kind of trouble (which is true: their account has been compromised), and that you can vouch for them using the "official bot" (which is false). Crucially, the message will seem genuine, because it has been written by a human professional scammer who has full access to your friend's Telegram chat history and can see how they normally write to you. If you open their link, the bot will take you through the steps required to give them access to your own Telegram account as well, under the pretense of vouching for your friend.
Part of the gang's operational security appears to call for the chat that contains the bot link to be remotely deleted if the mark does not comply, or immediately after they do comply. This makes it harder to report the bot to Telegram. The gang will of course be able to set up a new bot, but that does inconvenience them, so they try to avoid letting you keep the bot address long enough to report it.
But that didn't stop me from opening a new chat to my would-be scammer and chit-chatting about how their business is going. I showed off my credentials a bit so they knew why I wouldn't be scammed, but I can still be a 'nice guy' and who doesn't sometimes need to take time out for a chat?
This operative claimed they had compromised 73,000 accounts and were currently doing 50 a day (which would mean they've been going for 4 years). The intention was not to make long-term use of the compromised accounts themselves, but to scan their chat history for financial information, which they said had so far enabled them to raid bank accounts to the tune of 1.97 million dollars and they were aiming for 3 million.
They were using a VPN with an exit node in AsiaNet HK's infrastructure, and the "Nicegram" fork of the Telegram client, version 1.3.2 (the June release), on a slightly nicer iPhone than my friend's. They were using the Nicegram fork because it lets you log into an unlimited number of Telegram accounts at the same time.
One of my friends kept trying to get back into his account, so they put a 2-factor authentication on it with their own GMail account as the recovery backup. He later got his account deleted, but only after the Borrowers had already finished with it anyway: both accounts were logged out 5 days after they'd been entered.
All material © Silas S. Brown unless otherwise stated.
iPhone is a trademark of Apple in some countries.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Telegram is a trademark of Telegram Messenger LLP.
WeChat is a trademark of Tencent Holdings Limited.
Any other trademarks I mentioned without realising are trademarks of their respective holders.