Cybercriminals are increasingly turning to Telegram to share tactics and market their services, especially threat actors specializing in phishing, according to Kaspersky.
The phishing community on Telegram has grown substantially over the past year, as phishers flock to the platform an create Telegram channels for promoting phishing kits and bots for automating routine workflows, including for generating phishing pages and collecting data. Cybercriminals are increasingly using Telegram bots to sell subscriptions for their services, which include providing the phishing kits that automate virtually all aspects of the campaigns along with customer support to help avoid detection, and regular updates for their phishing tools.
Phishing kits are being offered complete with pre-packed tools that make it easy for would-be phishers to get started and conduct their own campaigns, several of which are being offered free of charge. These include bot-based phishing pages that automate the creation of new pages and data collection – all that is required is for the phisher to send out the emails and links to the malicious URL and wait for the bot to return the stolen data.
Of course, these free offerings are from altruistic. In return for providing the means to conduct phishing attacks, the creator of the bot is able to obtain a copy of any data harvested and the free services are aim to hook new phishers, who will then be pushed into purchasing more advanced, paid content, such as custom-crafted phishing pages that have been created from scratch, with more attractive and realistic designs and more advanced social engineering and anti-detection mechanisms to achieve better returns.
Phishing pages can be generated to mimic the desired brand and obtain the credentials phishers seek. For instance, the kits will generate a login prompt for Tik Tok that promises 1,000 TikTok likes for free, and will collect the login credentials when they are entered.
More advanced services are also offered that include phishing tools with customizable interfaces, anti-bot systems, and URL encryption, and phishing-as-a-service offerings that include tools that can obtain one-time codes to bypass multi-factor authentication. Telegram is also a hive of activity for phishers looking to sell their stolen data.
Kaspersky notes that while phishing is a booming business on Telegram, it is able to detect the fake sites and constantly adds new content to its database to protect its users. The Telegram bots that generate new phishing URLs typically incorporate similar chunks of code and often host the new URLS on the same domain, which makes it easy to block the pages.
That said, Telegram is significantly lowering the bar for getting involved in phishing, as individuals looking to start conducting phishing campaigns no longer need to find the content they need on the dark web and learn their skills, as everything required to get started is freely available on Telegram and with many services offered for free, there is no initial outlay required other than a little time. It is no surprise that these services are proving popular. Kaspersky reports detecting 2.5 million pages generated with these phishing kits over the past 6 months.