|
Getting your Trinity Audio player ready...
|
Claim: A Telegram message claiming “There are photos of you on the website” has gone viral on several Telegram pages.
Verdict: False! There are no pictures. DUBAWA can confirm that the viral link, http://vcvof.gdn/, is part of a phishing operation to mimic Telegram’s login interface. Multiple security tools have flagged it as malicious, affecting several Telegram users in Ghana.
Full Text
Recently, DUBAWA has observed an increase in phishing-related complaints from Telegram users. The pattern is consistent: the message seems to originate from a known contact, and the sender is often unaware that they have sent it.
The users receive messages from familiar contacts saying, “There are pictures of you in it,” followed by a suspicious link (commonly vcvof.gdn).
“I got that from a friend. I opened the link, and it asked for my Telegram number… I realised too late.”
“I almost put in my OTP because the page looked just like Telegram. I backed out when I saw the domain.”
“This got me, and now all my contacts are asking why I sent them that creepy link,” a victim shared his experience.
A screenshot of the message Telegram users receive.
In some cases, users reported that their Telegram accounts were compromised within minutes of entering their credentials on the phishing page.
When clicked, the link leads to a fake Telegram login page that requests a phone number and verification code. Victims who enter their details inadvertently hand over access to their Telegram accounts.
The attacker then uses these accounts to circulate the phishing message further, often deleting the message afterwards to conceal the breach.
Telegram is among Ghana’s most popular messaging applications, particularly among young people and journalists.
Many users utilise the “Saved Messages” feature as a digital locker for private information, including photos, documents, passwords, and more. Consequently, account breaches pose significant risks of privacy violations, identity theft, and blackmail.
Verification
Social Engineering and Digital Deception
This scam uses a common social engineering tactic—urgency and personal implication (“pictures of you”) to pressure users into clicking a link without scrutiny. Because the message is sent from a known contact (whose account has already been hijacked), users are less likely to suspect foul play.
Once a user enters their phone number and the one-time password (OTP), the attacker immediately gains control of the account.
The attacker, now in control of the compromised Telegram account, wastes no time. They begin sending the same phishing message, “There are pictures of you in it,” to every contact. Because the message comes from someone familiar, most recipients let their guard down. Curiosity clicks before caution kicks in.
But the real trick lies in what happens next. After dispatching the scam message, the attacker deletes it from the victim’s view. To the unsuspecting account holder, it’s as if nothing was ever sent. There’s no evidence, no message trail, and no reason to be alarmed until friends start reaching out and asking about a suspicious link supposedly sent by them.
Meanwhile, the attacker now has complete access to the victim’s digital world—every private conversation, every group message, and, most concerningly, the Saved Messages section, Telegram’s version of a private vault where many users store personal notes, passwords, bank details, voice notes, sensitive documents, and even medical records. Nothing is off-limits.
With full access, the attacker can quietly exfiltrate personal data, download contact lists, lift private files, and comb through chats for exploitable information. In just moments, the account becomes a gateway not only to one user’s life, but potentially to dozens, if not hundreds, of others.
Cybersecurity Evidence:
DUBAWA ran an independent scan of the URL http://vcvof.gdn/ using VirusTotal, a globally recognised malware and threat detection platform. At least eight security vendors flagged the site as malicious. This indicates that it may be hosting phishing scripts or spyware, malicious software (malware) that secretly gathers information from a person’s computer, phone, or other device without their knowledge or consent. Its main goal is to monitor user activity and collect sensitive data, which can be used for various purposes like identity theft, surveillance, or targeted advertising.
(Screenshot captured during analysis)
Further investigation into the phishing link revealed a troubling level of deception.
At first glance, the website mirrors Telegram’s official login interface almost perfectly. The fonts, logo, and colour scheme are nearly identical, crafted to fool even vigilant users. It’s a convincing replica designed to disarm suspicion and coax users into entering their phone number and authentication code.
Unlike legitimate platforms that use HTTPS encryption to secure data, this site operates over plain HTTP. Any information entered, including phone numbers, codes, or personal details, is transmitted without protection, leaving it vulnerable to interception.
The site’s digital address adds to the red flags. It’s hosted under “.gdn,” a low-reputation top-level domain known for being exploited by malicious actors. These domains are often used to host phishing sites and spam, mainly because they’re cheap to register and less regulated.
Conclusion
The deceptive Telegram link, “There are pictures of you on the website,” does not contain a picture but an active phishing campaign targeting users in Ghana and elsewhere. The phishing site vcvof.gdn has been verified as malicious and designed to harvest Telegram credentials. Users should remain vigilant and report suspicious activities.
