Modern messaging apps, many of which offer end-to-end encryption, are used every day by millions of people. These apps come with the expectation of privacy. However, we recently observed an interesting operational security issue involving one such popular messaging app, Telegram. We're posting our observations to alert users of this app to potential privacy concerns.
Changing Scammer Tactics
Relentless calls from telemarketing scammers are a bane of existence in modern life. Whether it's the "can you hear me now" scam, fake charity scams, or fake tech support scams, the pace of attacks on consumers is relentless. The problem is particularly bad for cell phone users and businesses.
Despite the Do Not Call registry and other associated telemarketing rules, advances of VoIP mean scammers can launch their attacks from anywhere. Scammers often spoof phone numbers. Despite these tricks, scammers have a problem -- the rise of phone number reputation sites and mobile applications designed to warn of bad phone numbers. Thanks to these websites and consumer education, the adversary is seeing their “success rate” drop.
While Do Not Call rules help reduce unwanted and scam phone calls, these regulations do not apply to encrypted messaging and calling applications. That's why messaging apps are an enticing option for scammers. It's a new way to potentially reach millions of new victims.
Taking a Look a Telegram
Telegram is a popular mobile messaging application with encryption options for Android and iOS. It uses your contact list to prepopulate contacts inside the application. In addition, when someone in your contact list signs up for Telegram, you receive a notification so you know you can contact them using the app. Convenient, huh?
However, the combination of these features made it possible for us to uncover a situation that raises a big privacy flag. Here's the deal: If a scammer signs up for Telegram and already has your phone number in their contact list, it will also notify them that you also have Telegram. So in addition to connecting you to your friends and contacts, the app will also connect scammers directly to you. Likewise, if you have scammers' numbers in your contact list for some reason, you will get push notifications when they join Telegram (like in the image above).
And this didn't happen just once or twice. On multiple occasions, we observed phone numbers associated with telemarketing scammers signed up to use Telegram. To complicate matters, we found no obvious way to prevent people from finding out if you are a Telegram user.
Further, it would not be difficult to create a way to determine if a phone number uses Telegram (or any of the many other, readily available secure mobile messaging/voice applications). There are several uses for this insight by third parties:
- Intelligence agencies consider the use of such services as a "risk factor" when deciding on surveillance targets,
- Border control officials could detect the use of such services during border crossing interviews, and conclude that the user has something to hide, and
- Criminals could use the knowledge that a user is on such a service to target them.
Zeroing in on Scammers
In this case, I already had the number of a suspected scammer number added to a mobile application I use to detect such calls. After a quick visit to one of the various caller reputation sites, I verified this number has a history of calls involving IRS-related scams.
Trust, but Verify
Encrypted messaging and voice applications create a new surface area for attacks to unfold and should not be entirely trusted. While these apps may be a great benefit to privacy, they shouldn’t be trusted any more than unencrypted calls. These systems do protect against spoofing, but if you have unknown callers on such applications, due caution is still required.
Scammers are eager to use other lures to reel in their targets. Just as privacy-conscious individuals may use burner phones and change phone numbers often, modern communications provide an array of methods to make it possible to send a message to a potential victim. For example, it doesn't take much work to pretend to be a trusted contact and tell the victim that "this is a new phone" to exploit an existing relationship.
Avoid Being a Victim: Tips for Messaging App Users
- Remember that while secure messaging services are great for privacy, default settings (which can't always be changed) will often expose you as a user of such services.
- Telemarketing scammers can use new messaging apps to evade regulations and use “trusted” channels to contact potential victims. Use out-of-band verification methods, such as a phone call, before interacting with new contacts to avoid impersonation attacks.
- Understand that using encrypted apps may cause third parties to believe you are -- at the very least -- privacy conscious, or may suggest you have something to hide.
- Some messaging apps, like Signal, are entirely dependent on capturing your address book. Others, like WhatsApp, make this optional but one can assume that most users enable this feature.
- Know that your messaging app could be vacuuming up your address book into their cloud service, where user matches are made – which means they could have a comprehensive social graph, possibly even for numbers that aren't their users.
-- By John Bambenek, Threat Systems Manager, Fidelis Cybersecurity