Kaspersky has warned that fake Telegram Premium offers have been spreading globally, targeting users with phishing scams and malware disguised as alternative app versions. These attacks aim to steal account credentials or compromise devices. The scams capitalize on Telegram Premium’s popularity and gifting feature, making it crucial for users to remain vigilant.

Telegram Premium is a subscription that offers exclusive features, such as faster download speeds, voice-to-text conversion, premium stickers, an ad-free experience, and more. Users can gift a subscription, and scammers capitalize on this gifting feature and the Telegram Premium topic in general.

During the upcoming holiday season, when gifts are expected and celebrations start, it’s crucial to remain cautious to avoid falling into traps like these.

One of the tricks begins when a user receives a message that appears to come from someone in their contact list, whose account may have been hacked. The message claims: “You’ve been sent a gift — a Telegram Premium subscription”. Below, there’s a link that looks legitimate but actually redirects the user to a phishing page, prompting them to log in to Telegram.  If victims scan the code or enter their credentials, their account is immediately compromised, giving scammers access to their login details, password, and potentially their authentication code. 

 

 

There are other tricks referencing the Telegram Premium theme, and not all of them necessarily start with messages on Telegram, such as the one described above. Attackers may also use other methods to send phishing links, for example, email.

For instance, perpetrators host fake “giveaways” for Telegram Premium subscriptions. Victims are lured into participating, and in a series of steps, they are directed to a phishing site where they are prompted to enter their Telegram account credentials, ultimately resulting in their account being compromised. 

 

Example of a phishing giveaway exploiting the Telegram Premium topic

Another machination involves cybercriminals sending victims an invitation to download a ZIP archive that claims to contain a version of the messenger service with a “Premium” subscription. The download link redirects users to a phishing page where they are once again asked to log in to Telegram. 

  

Example of phishing disguised as a Telegram Premium offer

Yet another fraud involves distributing malicious software disguised as an alternative version of the Telegram app with a “built-in” Premium subscription. Scammers send victims links to download APK files claiming they are modified versions of the app, but they turn out to be malware.

 

Example of a page distributing malware disguised as a Telegram app with a Premium subscription

“Phishing schemes capitalizing on the Telegram Premium topic has been observed in several languages, suggesting that the perpetrators operate globally. Even if these scams haven’t yet reached a specific region, there is a probability they could eventually make their way there. Therefore, during the holiday season, it’s especially important to remain cautious and skeptical of offers that seem too good to be true. Additionally, make sure your Telegram security and privacy settings are up to date, and your device has a robust security solution,” advises Olga Svistunova, security expert at Kaspersky.  

Read more on the Kaspersky Daily blog. Scammers continuously evolve their tactics, and new hoaxes can emerge daily. To protect yourself from these threats, consider the following tips:

• Check Kaspersky’s guide for Telegram security and privacy tips. 

• Double-check links – including the actual addresses embedded in hyperlinks. In some cases, Kaspersky has seen seemingly legitimate hyperlinks, like https://t.me/premium, redirect to entirely different phishing pages. This tactic works similarly to this example: a link appears to lead to the main page of Kaspersky Daily’s blog — https://kaspersky.com/blog , — but redirects to a different Kaspersky blog: Securelist. Scammers may use the same principle to disguise their phishing links.

• Verify links from contacts – If a gift link seems suspicious, confirm with the sender via an alternative communication channel.

• Purchase subscriptions through official channels. For instance, Telegram offers a special bot for purchasing Premium subscriptions.

• Enable two-factor authentication (2FA). This can be the last line of defense, even if the account credentials have been compromised. 2FA tokens can be conveniently stored in a Kaspersky Password Manager.

• Explore other methods cybercriminals use to steal Telegram accounts. Understanding these scams before they occur is crucial for improving cyber hygiene and staying aware of potential threats. 

• Avoid downloading unofficial app versions. Kaspersky recommends sticking to official applications, as unofficial ones may be loaded with various types of malware.

Threat Research

The Threat Research team is a leading authority in protecting against cyberthreats. By actively engaging in both threat analysis and technology creation, our TR experts ensure that Kaspersky’s cybersecurity solutions are deeply informed and exceptionally potent, providing critical threat intelligence and robust security to our clients and the broader community.

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.