New ad formats and emerging traffic sources open up opportunities for growth, but they also create loopholes that fraudsters are quick to exploit. Telegram has become one of the fastest-growing traffic sources for advertisers over the past two years, making it a prime target for scammers.
In this article, we break down a recent phishing attempt aimed at hijacking Telegram accounts – and show how Adex specialists detected and stopped it.
Mobile subscription offers under attack
Many mobile subscription offers rely on a simple mechanics: the user enters their phone number, receives a confirmation code, and then submits that code to complete the subscription. While most advertisers prefer sending these codes via SMS for reliability, some try more budget-friendly channels like WhatsApp, Telegram, or other messengers to deliver the confirmation code.
Since mobile subscriptions are vulnerable to fraud, Adex specialists routinely check these campaigns to make sure nothing suspicious slips through.
During a standard check, Adex specialists noticed something unusual about an ad campaign and suspected it was fraudulent. At first glance, though, the ad looked like a regular mobile subscription offer.
However, when our experts decided to double-check, they discovered that the ad campaign was actually a phishing scheme targeting Telegram accounts.
Fraud mechanics
This fraud exploited users’ lack of attention and advertisers’ desire to save money by avoiding standard SMS services.
Here’s how it worked: On a landing page disguised as a standard mobile subscription form, the user would enter their phone number. Next, they’d receive a message in their Telegram messenger containing an authorization code. An unsuspecting user would then enter that code back on the landing page to “confirm” their phone number, and immediately lose access to their Telegram account.
Verifying this scheme was complicated by the fact that a valid phone number from a limited list of countries was required to do so.
Once we obtained the needed number, we confirmed that after a user entered their phone number, they received an actual Telegram login code. Submitting that code on the scammer’s page granted the attackers access to the victim’s account.
Expanded investigation: More campaigns uncovered
With a better understanding of the fraudulent scheme, we scaled up our checks and reviewed similar campaigns. This led us to spot several more advertisers promoting the same phishing sites.
These landing pages came in many variations, but all of them had one thing in common: they asked the user to “confirm” something by entering their phone number. Below are some of the domains hosting these landing pages:
- qweefrdf.org
- pi-n.codes
- buikumsar.online
- freelovechat.asia
- *.privateclub.live
- makenewchat.cc
- tgcode.link
- videokud.online
- lokmh.xyz
- *.club-vip.live
- chating.live
As we discussed earlier, detecting these offers is tricky because they mimic standard PIN submit flows, where a user also enters their phone number to pay for a service via mobile billing. Here’s an example of a regular PIN submit offer for comparison:
Clearly, all the advertisers running this offer were immediately banned.
One of the banned advertisers contacted us for more information. He said these offers often appear in CPA networks as mVAS deals and claimed to have received the offer directly from the owner. While also insisting he was unaware that the offer was fraudulent.
A few weeks later, we discovered that the fraudsters had adapted their tactics, masking their phishing pages with innocent-looking pre-landers.
Adex persisted in its investigation and uncovered a network of accounts linked to a well-known media buying team that was promoting the same phishing schemes. However, the final phishing landing page was now only revealed after a few clicks, effectively bypassing moderation.
Landing page BEFORE moderation:
Landing page AFTER moderation:
Adex specialists took immediate action to identify and stop advertisers involved in this scheme from launching ad campaigns and deceiving more users.
Although we don’t expect fraudsters to stop, we now know how to effectively identify Telegram phishing campaigns and trace those involved in illegal activities.
Stay vigilant
At Adex, we continuously monitor all traffic sources and stay one step ahead of evolving fraud tactics. If you notice any suspicious campaigns, contact your traffic source or report them directly to Adex. By working together, we can keep the ad ecosystem clean and safe for everyone.
