Telegram & Discord Security Best Practices
0xB25C
January 5th, 2023

Greetings! In this note I'll give you some simple tips and you'll sleep better at night

These two applications are frequently used for work and communication, so it stands to reason that scammers and hackers would also look for victims there. Let's figure out how to avoid falling victim as well!

Today I'd like to focus on the basic settings only. Let's get started!

Check Out:


I - Telegram

A couple of basic tips:

Beware of impersonators (carefully check out Telegram bio as the scammer may insert any nickname to his bio and leave his own nickname blank), fake notifications about logging into Telegram (check out them carefully, they should come into the official telegram news & tips channel) with a phishing link, fake bots (yep, bots - not user accounts - may DM first) and so on.

NONE of the telegram chats are encrypted not 1:1, not groups. Only the secret chat one iirc.

Settings:

  • Phone Number → Who can see my phone number — Nobody.

  • Data and Storage → Auto Download Media → Toggle off

  • Phone Number → Who can find me by my number — My Contacts.

  • Last Seen & Online → Who can see my timestamp — Nobody.

  • Profile photo → Who can see my profile photo — My Contacts.

  • Calls → Who can call me — My Contacts (or Nobody, if you prefer).

  • Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners).

  • When you start the call, you will see four emojis at the top right corner - ask the person you are calling to name them and compare them to yours (they should be the same as yours). This is protection from MitM.

  • Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts.

  • Groups & Channels → Who can add me — My Contacts.

  • Set up a 2FA (cloud password)!

  • Disable sticker loop animation! Animated Stickers = danger.

  • Disable auto-downloading (both wi-fi and cellular): Privacy & Security → Data Settings ❗️

  • Disable P2P calls for everyone as it may expose your IP! Same with secret chats! End-to-End encryption means thats your IP will become known the person you’re chatting with. And vice versa.

  • Disable link & image previews in secret chats (scroll down in a Privacy and Security section!

  • Disable autoplay GIFs!

  • Never activate (via /start) any telegram bot! Do not even touch telegram bots (only public chat bots are considered safe, you can operate them in a public chat via commands), never DM a Telegram bot! (any button can contain a SQLi vulnerability or even worse)!

  • If you have to open PDF (CV for example), use dangerzone.rocks or google drive preview regime (ask to upload)!

  • Watch out active session! Terminate inactive sessions! Watch out session stealers!

  • If you receive a message about logging into your account - check that it is on a legitimate telegram notification & news channel. Scammers can impersonate this notification channel to force you to give them the OTR code from the SMS.

  • Check out this list!

  • Stay safe!


II - Discord

A couple of basic tips:

  • Use a randomly generated password. Grab a password generator like BitWarden and use it to generate and store your passwords. It’s 2021. You can’t afford to use lame passwords stored in .txt files on your computer, especially when your crypto is at risk. Be smart and sleep better at night.

  • Turn on two-factor authentication (2FA) in Discord. You can find this setting in User Settings on Discord. Discord allows you to use Aegis, Authy (disable multi-device for a better OpSec) or other methods.

  • Configure privacy settings, which you can find in Privacy & Safety under User Settings. Choose whether you want to allow direct messages from server members or not. It’s up to you. Note, however, that if you have DMs turned off, then if you join a server with a Captcha or Verification bot that authenticates you via DM, you may not be able to use it. Check the server information to see if open DMs are required for that server.

  • In Privacy & Safety, select who can add you as a friend. If you’re extra paranoid, you can prevent anyone from adding you as a friend, or you can allow it just for members of the same server.

  • Run a VPN! Or rent a VPS and bootstrap an open-source VPN server!


III - Discord Scams

One of the most dangerous scams, as an example:

Judging from the original tweet, the story goes like this:

  • A scammer picks a target — our victim — who has a presence on a Discord channel.

  • The scammer creates a fake user on the channel impersonating the target.

  • He then starts spamming, scamming or trash-talking in the channel with an intent to get banned.

  • Discord channel moderators see the mayhem and work to ban this account. Our scammer had skillfully used some known Discord Nitro tricks to manipulate his account user nickname. This way, the channel moderators are fooled into banning the account of the target (and, possibly, the account of the scammer).

  • After seeing that the target is banned, the scammer creates a manipulated image of a fake discussion among the Discord channel’s team members about the target’s ban.

  • Then, impersonating the channel’s moderator, the scammer reaches out to the target via a DM. The target is surprised that he/she has been banned and starts to uncritically accept the words of the scammer who appears to offer help.

  • The scammer fakes urgency insisting that the situation needs to be remedied right now. He asks the target to prove innocence and to come on a Discord call.

  • The scammer convinces the target to share the Discord Web UI computer screen and instructs the target to open Discord Developer Tools and reveal the Discord token. This token can be used to take full control of the account (without the password, and bypassing the Two Factor Authentication).

  • All this fancy manipulation leads to the scammer gaining full control of the target’s Discord account — he can now cause damage to the victim or the victim’s company.


IV - Social Engineering

Let us take Jane who is a diligent employee at her company. Information about Jane is publicly available on her social networks. Some sensitive information about her might have even been revealed in some leaks, such as the 2014 Yahoo Mail user account information breach. Generally, she is no different from you or us. So far, so good.

But then, a troll shows up and starts stalking her around social networks, writing hurtful comments, for example. He expands his cyberbullying to others in Jane’s company, bringing distress to his victims.

Even at this stage, the attack has done enough damage to cripple the culture of openness inside the company. Employees may stop sharing personal information or speaking candidly about problems for fear of ridicule or retaliation.

Jane continues to suffer the troll's attacks in silence. If Jane blocks the troll’s account, he will make another. If he knows her address, multiple pizza deliveries may suddenly arrive at her door. It is no life.

At this point in our story, in comes John. He is a stranger but, he too has a public account and has suffered from the actions of this same troll as evident from attacks on his page. He makes Jane a proposition for cooperation on how to stop the attacks. He says he knows a way to silence the troll.

Sure he knows the way. The Knight to the Rescue and the Evil Troll are one and the same person. The troll’s trick was to establish an emotionally supportive bond with someone who was experiencing pain.

John created a condition where Jane is now more likely to follow John’s seemingly innocent suggestion. She may click on a URL link or open a file sent to her. She might even come out and meet John.

This story may end badly for Jane. A potential scam by John should have been stopped at the beginning – at the stage when the target got recruited.

Are there any good guidelines to follow so that we do not end up in Jane’s position?

  1. The piece of advice “don't let strong emotions influence your actions” applies well for investing in stocks or when choosing a life partner. It can be your first rule in the digital world playground.

  2. If you get scammed, do not lose heart. One thing victims often tell us after being defrauded is “I can’t believe I was so stupid.” Scams happen to the best among us. Evolutionary psychology tells us that we have been wired by evolution to trust other humans for the purpose of our survival. This is why any exploitation of this strong evolutionary adaptation is particularly painful to us.

  3. If you are in a managerial role, make sure your employees aren't sick, tired, or go hungry at work. When employees are physically or emotionally weakened, they become vulnerable to psychological influence.

  4. If you work a lot with files, particularly PDFs, you can use these protective measures or dangerzone.rocks!

  5. While you may be wary of third parties trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers.

  6. We recommend that you follow these 25 rules to safeguard yourself from nefarious Internet scammers.

The exploitation of love or anger happens less often because the scammer would need to maintain a psychological connection with the victim, requiring skill, time, and familiarity with the target. In our situation, the scammer exploited the victims' fear. What is more, in order for this attack to succeed the victim had to be rushed.

A skillful social engineer will not give the victim much time to think, and will always press for urgency. This is the first thing to pay attention to – If you are rushed to give out sensitive information (or any information at all, for that matter), it is a good time to pause.

The second point to note is that when you find yourself in a similar situation, do not try to solve the problem by yourself. Ask a friend, a frequent contributor to your favorite Discord server, or a moderator of any well-known DAO. Good people want to help. Get a second opinion.

Sometimes scammers just want to get dirt on the victim or de-anonymize the target. Often, however, sophisticated cyber exploits can come coupled with either a malware injection or a phishing attack, or some other surprise.


V - Malware & OTC Scams

Read on to learn what happened here, so you can avoid OTC scam happening to you:

Check out:

Bonus:

Awesome Crypto Discord & Telegram servers & chats!


Support is very important to me, with it I can do what I love — educating users!

If you want to support my work, you can send me a donation to the address:

Subscribe to Officer's Blog
Receive new entries directly to your inbox.
Collectors
View
#1
#2
#3
View collectors
This entry has been permanently stored on-chain and signed by its creator.
Author Address
0xB25C5E8fA1E53…9F6A66B786ED77A
Content Digest
dlf6ZEXq3FLE21Z…8XIF9DEJAQ07nk8