The Telegram messaging application is fast becoming a cyber criminal’s go-to assistant for a variety of different cyber attacks, offering services similar to those found on the dark web through a more accessible platform.
Phishing and other cyber attack services are usually associated with forums on the dark web, but the ease of use and privacy features of Telegram have made the platform a boon for criminals, with a variety of services marketed through its channels.
Research from Searchlight Cyber, shared exclusively with ITPro ahead of publication, found a plethora of phishing services advertised, starting from simple static pages sold for as little as $50 up to considerably more sophisticated and customizable sites featuring administration pages and controls.
Phishing services - also referred to as phishing as a service - allow almost anyone with a basic knowledge of cyber security to launch a phishing attack with the criminal acting as a service provider. Phishing kits can also be purchased for a flat fee.
The sophistication of the services on offer included multi-factor authentication (MFA) bypass attacks, where the victim is requested to provide specific information that can enable a criminal to launch attacks, including the takeover of accounts.
Researchers noted that the most targeted industries were finance, telecommunications, and government bodies. The former two are attractive targets due to the relatively high financial rewards arising from a successful attack - even from just obtaining a set of comprised credentials. The latter is more often targeted by state-sponsored groups.
Buying and selling stolen data on Telegram
Also marketed on the platform was personal information - described as ‘logs’ or ‘fullz’ - including data such as payment card numbers, addresses, and government IDs.
One example given by researchers showed a comprehensive amount of credit data for sale for one individual, valued at $300 by criminals.
Find out how you can transform your IT security operations with a single platform.
Using the data on offer can be a challenge due to security measures put in place by measures such as MFA. Researchers found that solutions were readily available from actors in Telegram channels that exploited stolen records, including One Time Password (OTP) bots, SMS spamming, and SIM swapping services.
An OTP bot, which can be rented on a daily, weekly, or monthly basis, calls the victim and requests a code to be entered into the phone’s keypad. Once obtained, the code permits access to the account
While SMS spamming - where a message is sent to the victim directing them to a fake page where a code could be entered - bears a distinct resemblance to phishing attacks, SIM swapping is a considerably more sophisticated service.
In this instance, the victim’s SIM card is cloned, which means calls and messages can be intercepted. A representative from a telecoms company is usually needed to approve the process, often through an insider - for a flat fee or percentage of the stolen funds - at the organization. Researchers found the services of such insiders advertised on the messaging platform.
Other advertised insiders - known as ‘innys’ - included individuals working at financial institutions who are thought to be useful when it comes to transferring funds from compromised accounts while avoiding detection.
Monitoring and tracking activity
The widespread use of Telegram by cyber criminals, if not on the same scale as the activity in underground forums, also presents opportunities for security teams.
Researchers noted that messages on the platform are not encrypted by default, and many channels used routinely by criminals are available for cyber security teams to join and monitor.
Opportunities therefore exist to learn about attack methods and activity, as well as identify specific organizations being targeted and where compromises - such as insider threats - are to be found.
“Gathering intelligence on how cyber criminals operate is one of the most effective ways of ensuring that your security matches the most up-to-date attack techniques,” researchers said.
Why Telegram?
Telegram has a range of privacy features that allow it to be used anonymously; it also benefits from being a popular service generally.
Setting up an account requires only a valid telephone number, which can be hidden in favor of a username. Messages can be set to self-destruct, and chats can be end-to-end encrypted to keep conversations private.
Furthermore, the researchers point out that Telegram has remained relatively independent - certainly when compared to some competing platforms - going some way to alleviating concerns about messages being analyzed, harvested, or otherwise exploited.
While this appeals to ordinary users concerned about their privacy, it has also resulted in what researchers described as “a diverse and flourishing cyber criminal user base”. Such criminals usually have a presence on dark web forums, but Telegram has also proven itself as a useful channel for them to market themselves away from the underground scene.
