Click on the photo: scammers have invented a new scheme with photos in Telegram
Fraudsters have created a new scheme to cheat with photos in Telegram. Now a victim just needs to click on a picture sent by a stranger and money will be deducted from his or her account. In fact, experts explain, under the guise of a file hides a malicious script, which is dangerous to download to the phone. "Izvestia" found out how the trick works and how to protect yourself from it.
Scheme with a picture
Fraudsters have learned to steal money from Russians with the help of ordinary pictures in Telegram. This is reported by the Telegram channel Baza.
According to the channel, Muscovite Alexander suffered from the actions of hackers in early November. He was sent a message with a picture and a question whether he is depicted there. The man opened the picture out of curiosity.
According to Alexander, after that the chat with an unknown interlocutor disappeared. And 20 minutes later he received a call from the bank with a request to confirm the transfer from the debit card. The Russian did not send money to anyone, so he decided to immediately block the card.
When the man went into his personal account, he saw that at the moment of opening the picture he was stolen 22 thousand rubles. At the same time, assures Alexander, no SMS with a code did not come to him. The Muscovite filed a report with the police.
The old scenario
As Dmitry Ovchinnikov, head of the Laboratory for Strategic Development of Cyber Security Products at the Analytical Center for Cyber Security "Gazinformservice" explains to Izvestia, this method of scamming has been known for quite a long time, and it was usually used when visiting websites.
- Actually, something similar was used in unfair advertising, when a link was sewn into a picture. For the user on the web page it is easy to do: a person thinks that clicks on the picture, but in fact clicks on the link and goes to the site, where the form on the page can be filled out payment and its sending. Something similar can be attempted in messengers, but everything here rests on their functionality," says Ovchinnikov.
If a messenger has a rich potential for post design and is able to "hide" a link or code behind a picture, it is possible. But if not, such a scheme cannot be realized. But first, the expert notes, it is necessary to understand when payment without user confirmation is possible at all.
Risky payment
As Dmitry Ovchinnikov explains, the only option when money can be transferred without notifying the payer is if the bank card does not have the 3D-Secure option enabled. Then the card's payment data can be used for the transaction.
- You can steal this data, for example, from cookies. But this only works if a payment session was open at the time of the theft, or if the payment data was stored somewhere in the open and the virus picked it up from software, for example, from a marketplace application," the expert says.
You can also try to steal card data from autofill forms in the browser, if the user saved them for repeated payments. That is, technically, data theft is possible, but it is difficult to implement, as the fraudster will have to fine-tune the script for obtaining information so that it does not break down during the process.
- It can break down due to many factors: the browser installed, the type of operating system, non-typical settings and many others," says the Izvestia interlocutor.
Therefore, he believes, the scheme is unlikely to become widespread. Too many things have to coincide: the victim's inattention, the use of messenger in the browser or desktop version (phones usually have a ban on installing software from unreliable sources), and the lack of antivirus.
- Then you need to find the payment data, quickly open a form in the background window to send a transfer or payment and initiate it. And then close the window so as not to arouse suspicion among the user. At the same time, Windows Defender should be disabled. It turns out that it is much easier to infect the device with a virus and then steal payment data, as fraudsters usually do," concludes Ovchinnikov.
According to the expert, this is the first time such a scheme has appeared in recent years, which means that it is either completely new, or the victim is not telling us something. Perhaps in the interval between the receipt of the picture and the write-off of funds was something else that the Muscovite did not remember or did not pay attention to the events.
Similar schemes
According to Konstantin Gorbunov, a leading expert on network threats at Security Code, fraudsters in general often use pictures to disguise malware. For example, in early autumn they sent letters to retail and logistics companies under the guise of South Korean organizations with a scanned document in the body. It was impossible to see what was written without opening the document, but the image hid a link to a phishing site.
- When clicking on the picture, the user was redirected to a site that mimicked an Adobe file-sharing site, where they were required to enter credentials from their work email account. If the user followed the instructions, his account went to the attackers, who gained primary access to the organization's IT infrastructure," Gorbunov says.
Another scheme was also recorded. Fraudsters sent out allegedly used car ads and attached a PNG image of the car to the letter. However, it contained an ISO file with a backdoor, which was installed on the PC of the potential victim by clicking on the image.
In Russia, schemes where malicious ARC files are sent under the guise of pictures have been spreading since October. They are usually sent in messengers with the name "photo" and the question, "Hi, is that you?" If you open such a "snapshot," the phone is infected and the owner can lose personal data, account access, and money.
- When you click on it, it starts downloading a certain file, which is malware capable of a variety of things, including intercepting SMS codes," Konstantin Gorbunov concludes.
Methods of protection
According to experts, it is difficult to visually understand that you are trying to be scammed in a messenger. There are no tools in the mobile application that would highlight the moment you click on a picture, and there are no separate warnings in the web version either.
Therefore, Dmitry Galov, head of Kaspersky GReAT in Russia, explains, it is important to pay attention to the file extension. Pictures and photos cannot have .apk or .exe extensions in their names. Most likely, there is a malicious program behind them that should not be downloaded.
- The best option is to simply not trust unfamiliar contacts and do not open obscure pictures or links, do not join conversations, do not belong to obscure chats and groups. All this will reduce the likelihood that you will become a target for fraudulent transactions, - adds Dmitry Ovchinnikov.
You can also check the privacy settings in messenger (hide the number to which the account is linked) and banking application - enable the 3D-Secure option.
- Use an antivirus at your workplace and on your smartphone, a personal firewall to block connections. For online payments, you can get a separate bank card with a minimum balance," recommends the head of the Laboratory of Strategic Development of Cyber Security Products of the Analytical Center for Cyber Security "Gazinformservice".
Tips for victims
If a person has already been debited, Konstantin Gorbunov, a leading expert on network threats at Security Code, advises to immediately contact your bank, report the theft and block the card. Preventively, you can block other existing bank cards as well - until the user is sure that his finances are not threatened.
- It is also necessary to request a statement on the movement of funds from the bank. It is needed to write a statement to the Ministry of Internal Affairs - at the physical branch or on the website. The statement should be accompanied by a maximum of evidence: screenshots of correspondence, details of where the fraudsters transferred the stolen money, statements and so on," the expert says.
At the same time, Gorbunov notes, it will not be easy to achieve the return of funds. You can count on it unconditionally in two cases. The first - if the account, where the fraudsters transferred the money, was in a special database of the Central Bank of Russia, and the user's bank did not block the transaction. The second - the money was written off without the user's knowledge, while he reported the theft of finances to the bank within a day and wrote an application for a refund.
- It is also necessary to check the device on which, presumably, the malware is located. The most reliable option is to roll back the settings. Of course, important data may be lost, but this virtually guarantees that the VPO will disappear from the device. It would not be superfluous to change all passwords in applications, including social networks and messengers," concluded the Izvestia interlocutor.
