Telegram – New Market Place for Selling Phishing Toolkits & Services

Telegram is becoming an increasingly popular platform for users as well as cyber-criminals. It has become a Mini Dark-web since 2021 when cyber threat actors have been using them.

The services these threat actors offer vary from Automation of Phishing, selling Phishers kits, and setting up a custom phishing campaign for everyone willing to pay.

To promote their stuff, these phishers create Telegram channels where they conduct polls, train their audience, and provide choices on what kind of personal data they prefer. 

Channel links are circulated via GitHub, YouTube, and the Phishing links they make. A detailed analysis of their pricing, services, and other information is listed below.

Offers Now: Telegram Black Market

These threat actors’ services are categorized into two “Paid” and “Free”. Telegram bots help many legitimate users automate regular tasks, answer customer FAQs, set reminders, etc. However, threat actors use the bots for phishing page creation or user data collection.

Creating a phishing page with a telegram bot involves the following steps,

• Aspiring phisher joins a bot creator’s channel
• Choose the language (English / Arabic)
• Bot asks the phisher to create their bot and share its token with the current bot, which they call “Botfather.”
• After sharing the token, the botfather generates many fake pages, all with the same domain.

Once the Botfather creates the phishing links, the phisher has to spread the link himself. 

Every time there is a victim to these phishing pages, the phisher will receive a message on his bot for which he shared the token with the botfather. 

The message will contain which link the victim visited, his IP address, and the credentials he entered.

Some bots that generate phishing pages slightly differ from links-generating bots that will initially ask for the service to replicate, such as Dropbox or Google. 

Following this, it asks the phisher to enter the link that he wants the users to redirect to once they have fallen for the phishing page, which will typically be a Google homepage. Once the options are given, it generates multiple links containing the same service replicated on all the generated links. 

The victims’ credentials will be received directly on this phishing bot on Telegram.

How do Telegram Bots receive these links?

The basic phishing kit offers a service that forwards the required data into a utility with predefined packages available. 

After this, they have a script inside the phishing pages that will forward the stolen data to the bot to which the links are configured. Other information includes the chat identifier token and the URL to which the links have to redirect.

Mysterious question: Why the developer can’t configure this page to send a copy to his server is still unanswered.

These phishers are sometimes so generous that they post a link containing the resource for phishing pages of various brands and are ready-to-use templates.

Subscribers of these channels also frequently see links containing stolen personal data. They also tag these links as verified or not verified data. “YELLOW LIGHT DATA” stands for unverified data.

The research found that threat actors sold bank account credentials based on the available balance. For instance, a bank account with $1,400 was sold at $110, but an account worth $49,000 was sold at $700.

Phishing-As-A-Service (PhaaS)

Like SaaS or PaaS, Phaas (Phishing as a service) is also becoming increasingly popular. SaaS offers Software as a service; likewise, these malicious actors were found to offer “premium” subscriptions for the newbie phishers. This service includes guides for beginners, access to phishing tools, and technical support.

Sometimes, these threat actors mention that they have anti-bot systems, URL encryption, geoblocking, and other exciting features useful for attackers. When I looked closer, they contained scripts blocking web crawlers and other phishing detectors.

These kinds of pages differ in prices with different vendors ranging from $10 per copy to $50 for a several-page archive. Some exclusive featuring pages like 3-D secure support go up to $300.

Related Read:

• Hackers Selling Telegram Insider Server Access on Dark Web Forums
• macOS Malware Added New Weapons to Its Arsenal To Attack Google Chrome & Telegram
• Telegram MTProxy Used to Launch DDoS Attack Against Cloud Service Provider Arvan – Peaks
• Hackers Drop Spyware and Steal the Password, Credit card and Browers Data