Announcing DaryaScam: Messaging apps need passkeys ASAP
TL;DR: You got phishing, we brought guns.
https://daryascam.info/ | [Whitepaper] | [Code]
This story is actually almost happened to my family in Ukraine. Few months ago, my mother-in-law mentioned to us, that she received a message from her friend asking to vote for her niece in the children competition. She was surprised, since she never heard about her friend having a niece. We all just assumed that it was one of those social media hype thing, and ignored it… until I found that this was actually a scam, and we almost got caught in it.
In this article we will talk about the attack, how it works, and why messaging apps need to start using passkeys ASAP.
I would like to thank to @D1m0ps for his work at dissecting the attack. Go and read the thread here https://x.com/D1m0ps/status/1854621602270384374
The attack
Seemingly innocent message, from people you trust, has a very clever way of stealing your messaging account. The message does not ask you for anything specific, but to “vote” for a nephew. Harmless as it could be.
Once you have decide who to vote for, you will be redirected to “authorization” page, where you simply need to “scan qr code” and do some extra steps.
Once you did that, the attacker basically gets messenger web session, and thus full access to your messaging app. Attacker can view all your messages and contacts, send scam messages to your friends, and even hide that fact by removing messages from your history.
Once this happened, you can still stop the attacker from doing more damage, by disabling malicious session, and we wrote step-by-step instructions on our website https://daryascam.info/
Risks are immense
This attack is not unique per say idea, but the velocity, effectiveness, and creativity, as well as critical mass state. People are simply using messaging apps more, and for more things than they use to. Telegram is no longer a place to chat to friends, it is de-facto a social media platform, same as Discord. People using messaging apps, to talk to friends, read news, discuss politics, buy and sell things, chat to AI, as well as submit documents for visa processing, and to apply for an apartment.
Today messenger accounts, are far more valuable than your facebook account. The throwe of person information that potential attacker gets is mind boggling, as well as consequences. Wrong message, or Telegram channel will lend you in jail somewhere like Russia, while access to your account will allow attackers to spread phishing, propaganda, scam, etc.
These are fully weaponised, and well coordinated phishing attack that are happening in real time, and are affecting millions of people.
The cure is here, and its passkeys
Now is the perfect time to eliminate this phishing threat once and for all with the technology we’ve spent the past decade perfecting. Passkeys are a game-changer: they’re well-supported, highly secure, and the only truly phishing-resistant authentication method available.
The time to act is now. Let’s put an end to messenger-based phishing attacks forever.
To help in this mission, we’ve teamed up with Hideez to create a comprehensive whitepaper that outlines the critical vulnerabilities in messaging app security and provides actionable solutions. We’ve also developed working demos to showcase how these fixes can be implemented in practice.
Our objective is clear: to eradicate this phishing vector completely.
All of our tools and code are fully open source and ready to deploy. Join us in this fight. Together, we can secure the future.
Our Github org with the code: https://github.com/DaryaScam
Demo:
Code:
- iOS Demo: https://github.com/DaryaScam/iOSDemoApp
- Android Demo: [Coming soon!]
- Electron Demo: https://github.com/DaryaScam/ElectronHybridDemo
- Web Demo: https://github.com/DaryaScam/WebDemo
Wanna talk?
Yuriy Ackermann
- https://bsky.app/profile/yackermann.bsky.social
- https://twitter.com/yackermann
- https://www.linkedin.com/in/yuriy-ackermann/
Oleg Naumenko
- https://hideez.com/
- on@hideez.com
