This article discusses the rise of fraudulent Safeguard bots on Telegram, targeting cryptocurrency transaction security. Cybercriminals are leveraging these bots to install malware and steal access to victims’ accounts. A particular fraudulent bot is linked to a recent domain registration, which further connects it to smishing scams involving an impersonation of the Italian social security agency INPS. Affected: Telegram, cryptocurrency, INPS, victims of cybercrimes
Keypoints :
- Safeguard is a service for securing cryptocurrency transactions on Telegram.
- The popularity of Safeguard has led to the creation of fraudulent bots aimed at deceiving users.
- A fraudulent bot prompts users to complete three steps for verification, executing harmful PowerShell code.
- This scam relates to the distribution of Lumma Stealer malware.
- A recently registered domain ‘safeguard-telegram’ is associated with two active Telegram bots.
- The bots trick victims into scanning QR codes to grant access to their accounts.
- The fraudulent domain exposes configuration information, including the real IP address of the scam service.
- The reported IP is linked to other domains involved in smishing scams.
- The scams highlight coordinated efforts to steal identity documents and access messaging accounts.
- Indicators of compromise have been shared with accredited organizations from CERT-AGID.
MITRE Techniques :
- Execution (T1203) – Execution of PowerShell commands via the fraudulent bot.
- Credential Dumping (T1003) – Attempting to capture Telegram account credentials through phishing methods.
- Data Theft (T1005) – Potential access to documents and identity information via the associated scams.
Indicator of Compromise :
- [Domain] safeguard-telegram
- [Domain] inps[.]ec
- [Domain] inps[.]io
- [Domain] inps[.]st
- [IP Address] [Real IP Address of the fraudulent service] (not explicitly stated, needs to be identified)
Full Story: https://cert-agid.gov.it/news/truffa-safeguard-furto-di-account-telegram-e-connessione-con-lo-smishing-inps/