Friday, May 24, 2024

Telegram – New Market Place for Selling Phishing Toolkits & Services

Telegram is becoming an increasingly popular platform for users as well as cyber-criminals. It has become a Mini Dark-web since 2021 when cyber threat actors have been using them.

The services these threat actors offer vary from Automation of Phishing, selling Phishers kits, and setting up a custom phishing campaign for everyone willing to pay.

To promote their stuff, these phishers create Telegram channels where they conduct polls, train their audience, and provide choices on what kind of personal data they prefer. 

Channel links are circulated via GitHub, YouTube, and the Phishing links they make. A detailed analysis of their pricing, services, and other information is listed below.

Offers Now: Telegram Black Market

These threat actors’ services are categorized into two “Paid” and “Free”. Telegram bots help many legitimate users automate regular tasks, answer customer FAQs, set reminders, etc. However, threat actors use the bots for phishing page creation or user data collection.

Creating a phishing page with a telegram bot involves the following steps,

  • Aspiring phisher joins a bot creator’s channel
  • Choose the language (English / Arabic)
  • Bot asks the phisher to create their bot and share its token with the current bot, which they call “Botfather.”
  • After sharing the token, the botfather generates many fake pages, all with the same domain.

Once the Botfather creates the phishing links, the phisher has to spread the link himself. 

Every time there is a victim to these phishing pages, the phisher will receive a message on his bot for which he shared the token with the botfather. 

The message will contain which link the victim visited, his IP address, and the credentials he entered.

Some bots that generate phishing pages slightly differ from links-generating bots that will initially ask for the service to replicate, such as Dropbox or Google. 

Following this, it asks the phisher to enter the link that he wants the users to redirect to once they have fallen for the phishing page, which will typically be a Google homepage. Once the options are given, it generates multiple links containing the same service replicated on all the generated links. 

The victims’ credentials will be received directly on this phishing bot on Telegram.

The basic phishing kit offers a service that forwards the required data into a utility with predefined packages available. 

After this, they have a script inside the phishing pages that will forward the stolen data to the bot to which the links are configured. Other information includes the chat identifier token and the URL to which the links have to redirect.

Mysterious question: Why the developer can’t configure this page to send a copy to his server is still unanswered.

These phishers are sometimes so generous that they post a link containing the resource for phishing pages of various brands and are ready-to-use templates.

Subscribers of these channels also frequently see links containing stolen personal data. They also tag these links as verified or not verified data. “YELLOW LIGHT DATA” stands for unverified data.

The research found that threat actors sold bank account credentials based on the available balance. For instance, a bank account with $1,400 was sold at $110, but an account worth $49,000 was sold at $700.

Phishing-As-A-Service (PhaaS)

Like SaaS or PaaS, Phaas (Phishing as a service) is also becoming increasingly popular. SaaS offers Software as a service; likewise, these malicious actors were found to offer “premium” subscriptions for the newbie phishers. This service includes guides for beginners, access to phishing tools, and technical support.

Sometimes, these threat actors mention that they have anti-bot systems, URL encryption, geoblocking, and other exciting features useful for attackers. When I looked closer, they contained scripts blocking web crawlers and other phishing detectors.

These kinds of pages differ in prices with different vendors ranging from $10 per copy to $50 for a several-page archive. Some exclusive featuring pages like 3-D secure support go up to $300.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles