Cybersecurity researchers are calling attention to the “democratization” of the phishing ecosystem due to the emergence of Telegram as an epicenter of cybercrime, allowing threat actors to launch a mass attack for as little as $230.
“This messaging app has transformed into a bustling hub where experienced cybercriminals and newcomers exchange illicit tools and information creating a shadowy, well-oiled supply chain of tools and victim data,” researchers at Guardio Labs Oleg Zaytsev and Nati Tal in a new article. relationship.
“Free samples, tutorials, kits, and even hackers for hire – everything you need to build a complete end-to-end malicious campaign.”
This isn’t the first time the popular messaging platform has come under the radar for facilitating malicious activity, partly driven by its lenient moderation efforts.
As a result, what was previously only available on invitation-only forums on the dark web is now easily accessible via public channels and groups, thus opening the doors of cybercrime to aspiring and inexperienced cybercriminals.
In April 2023, Kaspersky revealed how phishers create Telegram channels to educate beginners about phishing and advertise bots that can automate the process of creating phishing pages to collect sensitive information such as login credentials.
One such malicious Telegram bot is Telekopye (also known as Classiscam), which can create fraudulent web pages, emails, and SMS messages to help threat actors carry out large-scale phishing scams.
Guardio said that the building blocks for building a phishing campaign can be easily purchased on Telegram – “some offered at very low prices, and some even for free” – making it possible to set up scam pages via a phishing kit, host the page on a compromised WordPress website via a web shell and exploit a backdoor mailer to send email messages.
Backdoor mailers, marketed on various Telegram groups, are PHP scripts injected into already infected but legitimate websites to send convincing emails using the exploited website’s legitimate domain to bypass spam filters.
“This situation highlights a double responsibility for site owners,” the researchers said. “They must safeguard not only their business interests, but also protect their platforms from being used by scammers to host phishing operations, send deceptive emails and conduct other illicit activities, all without their knowledge.”
To further increase the likelihood of success of such campaigns, digital marketplaces on Telegram also provide so-called “letters”, which are “branded and expertly designed templates” that make email messages appear as authentic as possible to lure victims to click on the bogus link pointing to the scam page.
Telegram also hosts bulk datasets containing valid and relevant email addresses and phone numbers to target. Referred to as “leads,” they are sometimes “enriched” with personal information such as names and physical addresses to maximize impact.
“These contacts can be incredibly specific, tailored to any region, niche, demographic, specific business customers, and more,” the researchers said. “Every piece of personal information increases the effectiveness and credibility of these attacks.”
How these lead lists are prepared may vary from seller to seller. They can be obtained from cybercrime forums that sell stolen data from hacked companies, or through sketchy websites that trick visitors into completing a fake survey to win prizes.
Another crucial component of these phishing campaigns is a means to monetize the collected stolen credentials by selling them to other criminal groups in the form of “logs”, granting threat actors a 10x return on their investment based on the number of victims who end up providing valid details on the scam page.
“Social media account credentials are sold for as little as a dollar, while bank accounts and credit cards could be sold for hundreds of dollars, depending on their validity and funds,” the researchers said.
“Unfortunately, with a small investment, anyone can launch a significant phishing operation, regardless of prior knowledge or ties to the criminal world.”