Telegram & Discord Security Best Practices
CIA OfficerGreetings! In this note I'll give you some simple tips and you'll sleep better at night!
A couple of basic tips: Beware of impersonators (carefully check out Telegram bio as the scammer may insert any nickname to his bio and leave his own nickname blank), fake notifications about logging into Telegram (check out them carefully, they should come into the official telegram news & tips channel) with a phishing link, fake bots (yep, bots - not user accounts - may DM first) and so on.
Today I'd like to focus on the basic settings. Let's get started!
I - Telegram
- Read: medium.com/immunefi/how-not-to-get-hacked-on-telegram-2db2b93a5fa2
- Read: officercia.mirror.xyz/W-SUbkTf18b3RuPL9DykXQmpexWBZxbp4P1xfCfXo4Y
A couple of basic tips:
- Phone Number → Who can see my phone number — Nobody.
- Data and Storage → Auto Download Media → Toggle off
- Phone Number → Who can find me by my number — My Contacts.
- Last Seen & Online → Who can see my timestamp — Nobody.
- Profile photo → Who can see my profile photo — My Contacts.
- Calls → Who can call me — My Contacts (or Nobody, if you prefer).
- Calls→ Peer-to-peer — My contacts (or Nobody, if you prefer not to share your IP address with chat partners).
- When you start the call, you will see four emojis at the top right corner - ask the person you are calling to name them and compare them to yours (they should be the same as yours). This is protection from MitM.
- Forwarded Messages → Who can add a link to my account when forwarding my messages — My Contacts.
- Groups & Channels → Who can add me — My Contacts.
- Set up a 2FA (cloud password)!
- Disable sticker loop animation! Animated Stickers = danger.
- Disable auto-downloading (both wi-fi and cellular): Privacy & Security → Data Settings!
- Disable P2P calls for everyone as it may expose your IP!
- Never activate (via /start) any telegram bot! Do not even touch telegram bots (only public chat bots are considered safe, you can operate them in a public chat via commands), never DM a Telegram bot! (any button can contain a SQLi vulnerability or even worse)!
- If you have to open PDF (CV for example), use dangerzone.rocks or google drive preview regime (ask to upload)!
II - Discord
- Read: medium.com/immunefi/how-to-avoid-blockchain-blackhats-on-discord-78e4f278c4a2
- Read: 0xrusowsky.substack.com/p/on-operational-security
A couple of basic tips:
- Use a randomly generated password. Grab a password generator like BitWarden and use it to generate and store your passwords. It’s 2021. You can’t afford to use lame passwords stored in .txt files on your computer, especially when your crypto is at risk. Be smart and sleep better at night.
- Turn on two-factor authentication (2FA) in Discord. You can find this setting in User Settings on Discord. Discord allows you to use Aegis, Authy (disable multi-device for a better OpSec) or other methods.
- Configure privacy settings, which you can find in Privacy & Safety under User Settings. Choose whether you want to allow direct messages from server members or not. It’s up to you. Note, however, that if you have DMs turned off, then if you join a server with a Captcha or Verification bot that authenticates you via DM, you may not be able to use it. Check the server information to see if open DMs are required for that server.
- In Privacy & Safety, select who can add you as a friend. If you’re extra paranoid, you can prevent anyone from adding you as a friend, or you can allow it just for members of the same server.
- Run a VPN! Or rent a VPS and bootstrap an open-source VPN server!
III - Discord Scams
- Read: officercia.mirror.xyz/x4nGX6YwhhmHj8TaQ53kBR5b5M1Ei_Y9_l1Vpext-Hk
- Read: mirror.xyz/crisgarner.eth/gJjASuCkbXJ1w574ePvJ3kNyWBZQfUyelMvsp4ujZ80
One of the most dangerous scams, as an example...
Judging from the original tweet, the story goes like this:
- A scammer picks a target — our victim — who has a presence on a Discord channel.
- The scammer creates a fake user on the channel impersonating the target.
- He then starts spamming, scamming or trash-talking in the channel with an intent to get banned.
- Discord channel moderators see the mayhem and work to ban this account. Our scammer had skillfully used some known Discord Nitro tricks to manipulate his account user nickname. This way, the channel moderators are fooled into banning the account of the target (and, possibly, the account of the scammer).
- After seeing that the target is banned, the scammer creates a manipulated image of a fake discussion among the Discord channel’s team members about the target’s ban.
- Then, impersonating the channel’s moderator, the scammer reaches out to the target via a DM. The target is surprised that he/she has been banned and starts to uncritically accept the words of the scammer who appears to offer help.
- The scammer fakes urgency insisting that the situation needs to be remedied right now. He asks the target to prove innocence and to come on a Discord call.
- The scammer convinces the target to share the Discord Web UI computer screen and instructs the target to open Discord Developer Tools and reveal the Discord token. This token can be used to take full control of the account (without the password, and bypassing the Two Factor Authentication).
- All this fancy manipulation leads to the scammer gaining full control of the target’s Discord account — he can now cause damage to the victim or the victim’s company.
IV - Social Engineering
- Read: officercia.mirror.xyz/qfhQ_ocTPKnO5EqMlZ2ixIX7oBIfz5Tznid82EucbYk
- Read: officercia.mirror.xyz/p1ieZdxQWH4yHCNOXNPHyT8So1cY0X_wMGKwdmavi7s
Let us take Jane who is a diligent employee at her company. Information about Jane is publicly available on her social networks. Some sensitive information about her might have even been revealed in some leaks, such as the 2014 Yahoo Mail user account information breach. Generally, she is no different from you or us. So far, so good.
But then, a troll shows up and starts stalking her around social networks, writing hurtful comments, for example. He expands his cyberbullying to others in Jane’s company, bringing distress to his victims.
Even at this stage, the attack has done enough damage to cripple the culture of openness inside the company. Employees may stop sharing personal information or speaking candidly about problems for fear of ridicule or retaliation.
Jane continues to suffer the troll's attacks in silence. If Jane blocks the troll’s account, he will make another. If he knows her address, multiple pizza deliveries may suddenly arrive at her door. It is no life.
At this point in our story, in comes John. He is a stranger but, he too has a public account and has suffered from the actions of this same troll as evident from attacks on his page. He makes Jane a proposition for cooperation on how to stop the attacks. He says he knows a way to silence the troll.
Sure he knows the way. The Knight to the Rescue and the Evil Troll are one and the same person. The troll’s trick was to establish an emotionally supportive bond with someone who was experiencing pain.
John created a condition where Jane is now more likely to follow John’s seemingly innocent suggestion. She may click on a URL link or open a file sent to her. She might even come out and meet John.
This story may end badly for Jane. A potential scam by John should have been stopped at the beginning – at the stage when the target got recruited.
Are there any good guidelines to follow so that we do not end up in Jane’s position?
- The piece of advice “don't let strong emotions influence your actions” applies well for investing in stocks or when choosing a life partner. It can be your first rule in the digital world playground.
- If you get scammed, do not lose heart. One thing victims often tell us after being defrauded is “I can’t believe I was so stupid.” Scams happen to the best among us. Evolutionary psychology tells us that we have been wired by evolution to trust other humans for the purpose of our survival. This is why any exploitation of this strong evolutionary adaptation is particularly painful to us.
- If you are in a managerial role, make sure your employees aren't sick, tired, or go hungry at work. When employees are physically or emotionally weakened, they become vulnerable to psychological influence.
- If you work a lot with files, particularly PDFs, you can use these protective measures.
- While you may be wary of third parties trying to steal your information, you should also watch out for insider threats, such as negligent employees and disgruntled workers.
- We recommend that you follow these 25 rules to safeguard yourself from nefarious Internet scammers.
The exploitation of love or anger happens less often because the scammer would need to maintain a psychological connection with the victim, requiring skill, time, and familiarity with the target. In our situation, the scammer exploited the victims' fear. What is more, in order for this attack to succeed the victim had to be rushed.
A skillful social engineer will not give the victim much time to think, and will always press for urgency. This is the first thing to pay attention to – If you are rushed to give out sensitive information (or any information at all, for that matter), it is a good time to pause.
The second point to note is that when you find yourself in a similar situation, do not try to solve the problem by yourself. Ask a friend, a frequent contributor to your favorite Discord server, or a moderator of any well-known DAO. Good people want to help. Get a second opinion.
Sometimes scammers just want to get dirt on the victim or de-anonymize the target. Often, however, sophisticated cyber exploits can come coupled with either a malware injection or a phishing attack, or some other surprise.
V - Malware & OTC Scams
- Read: github.com/OffcierCia/Crypto-OpSec-SelfGuard-RoadMap
- Read: docs.google.com/document/d/1-_0Wlwch_vtkPM4F-SdEXLjQYaYT7KoPlU2rjt7tkLQ/edit
Read on to learn what happened here, so you can avoid OTC scam happening to you:
Bonus:
Awesome Crypto Discord & Telegram servers & chats!
- telegra.ph/Crypto-Telegram-Channels--Chats-04-19
- sovs.notion.site/Telegram-Channels-875ef69267da4a269828182b3d5d5dc1