In another sign that Telegram is increasingly becoming a cybercrime hub, researchers have found that threat actors are using the messaging platform to peddle phishing kits and help set up phishing campaigns.
“To promote their ‘stuff’, phishers create Telegram channels where they educate their audience about phishing and entertain subscribers with polls like, ‘What kind of personal data do you prefer?’,” Kaspersky web content analyst Olga Svistunova said in a report published this week.
Links to these Telegram channels are distributed via YouTube, GitHub, and phishing kits developed by the criminals themselves. The Russian cybersecurity firm said it detected more than 2.5 million malicious URLs generated using phishing kits in the last six months.
One of the prominent services offered is providing threat actors with a Telegram bot that automates the process of creating phishing pages and collecting user data.
Even though the scammer is responsible for distributing the fake login page to the desired target, the credentials captured on the page are sent back via another Telegram bot.
Other bot services go further with advertising options to generate phishing pages impersonating legitimate services, which are then used to lure potential victims under the pretense of giving free likes on social media services.
“Telegram channels operated by scammers occasionally post what appear to be very generous offers, for example, ready-made phishing kit packages targeting a large number of global and local brands,” Svistunova said.
In some cases, phishers have also been observed sharing users’ personal data with other customers for free in hopes of attracting would-be criminals, only to sell paid kits to those who want to carry out more such attacks. The scammers then offer to teach “how to phish for some serious cash”.
Using the free proposition is also a way for scammers to trick cash-strapped and novice criminals into using their phishing kits, resulting in a double theft, where the stolen data is also sent to the creator without their knowledge.
Paid services, on the other hand, include advanced kits that offer attractive designs and features such as anti-bot detection, URL encryption and geoblocking which threat actors can use to carry out more sophisticated social engineering schemes. Such pages cost between $10 and $280.
Other paid categories require the sale of personal data, with bank account credentials advertised at different rates based on balance. For example, an account with a balance of $49,000 is set up for $700.
What’s more, phishing services are marketed via Telegram on a subscription basis (i.e., phishing-as-a-service or PhaaS), in which developers rent kits for a monthly fee in exchange for providing regular updates.
Also promoted as a subscription is a one-time password (OTP) bot that calls users and convinces them to enter a two-factor authentication code on their phone to help bypass account protection.
Setting up this service is relatively easy. What is more difficult is to gain customer trust and loyalty. And some vendors go to great lengths to ensure that all information is encrypted so that no third party, including themselves, can read it.
The findings also follow an advisory from Cofense earlier this January, which revealed an 800% year-over-year increase in the use of Telegram bots as an exfiltration destination for phishing information.
“It used to be that phishers wanted to find their way to the dark web, study the forums there, and do something else to get started,” says Svistunova. “The threshold for joining the phisher community was lowered after bad actors migrated to Telegram and are now sharing insights and knowledge, often for free, directly on popular messaging services.”