Telegram – New Market Place for Selling Phishing Toolkits & Services

Telegram is becoming an increasingly popular platform for users as well as cyber-criminals. It has become a Mini Dark-web since 2021 when cyber threat actors have been using them.

The services these threat actors offer vary from Automation of Phishing, selling Phishers kits, and setting up a custom phishing campaign for everyone willing to pay.

To promote their stuff, these phishers create Telegram channels where they conduct polls, train their audience, and provide choices on what kind of personal data they prefer. 

Channel links are circulated via GitHub, YouTube, and the Phishing links they make. A detailed analysis of their pricing, services, and other information is listed below.

Offers Now: Telegram Black Market

These threat actors’ services are categorized into two “Paid” and “Free”. Telegram bots help many legitimate users automate regular tasks, answer customer FAQs, set reminders, etc. However, threat actors use the bots for phishing page creation or user data collection.

Creating a phishing page with a telegram bot involves the following steps,

  • Aspiring phisher joins a bot creator’s channel
  • Choose the language (English / Arabic)
  • Bot asks the phisher to create their bot and share its token with the current bot, which they call “Botfather.”
  • After sharing the token, the botfather generates many fake pages, all with the same domain.

Once the Botfather creates the phishing links, the phisher has to spread the link himself. 

Every time there is a victim to these phishing pages, the phisher will receive a message on his bot for which he shared the token with the botfather. 

The message will contain which link the victim visited, his IP address, and the credentials he entered.

Some bots that generate phishing pages slightly differ from links-generating bots that will initially ask for the service to replicate, such as Dropbox or Google. 

Following this, it asks the phisher to enter the link that he wants the users to redirect to once they have fallen for the phishing page, which will typically be a Google homepage. Once the options are given, it generates multiple links containing the same service replicated on all the generated links. 

The victims’ credentials will be received directly on this phishing bot on Telegram.

The basic phishing kit offers a service that forwards the required data into a utility with predefined packages available. 

After this, they have a script inside the phishing pages that will forward the stolen data to the bot to which the links are configured. Other information includes the chat identifier token and the URL to which the links have to redirect.

Mysterious question: Why the developer can’t configure this page to send a copy to his server is still unanswered.

These phishers are sometimes so generous that they post a link containing the resource for phishing pages of various brands and are ready-to-use templates.

Subscribers of these channels also frequently see links containing stolen personal data. They also tag these links as verified or not verified data. “YELLOW LIGHT DATA” stands for unverified data.

The research found that threat actors sold bank account credentials based on the available balance. For instance, a bank account with $1,400 was sold at $110, but an account worth $49,000 was sold at $700.

Phishing-As-A-Service (PhaaS)

Like SaaS or PaaS, Phaas (Phishing as a service) is also becoming increasingly popular. SaaS offers Software as a service; likewise, these malicious actors were found to offer “premium” subscriptions for the newbie phishers. This service includes guides for beginners, access to phishing tools, and technical support.

Sometimes, these threat actors mention that they have anti-bot systems, URL encryption, geoblocking, and other exciting features useful for attackers. When I looked closer, they contained scripts blocking web crawlers and other phishing detectors.

These kinds of pages differ in prices with different vendors ranging from $10 per copy to $50 for a several-page archive. Some exclusive featuring pages like 3-D secure support go up to $300.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Hundreds of Fortune 500 Companies Have Unknowingly Employed North Korean IT Operatives

North Korean nationals have successfully infiltrated the employee ranks of major global corporations at a…

17 hours ago

Stealthy New NodeJS Backdoor Infects Users Through CAPTCHA Verifications

Security researchers have uncovered a sophisticated malware campaign utilizing fake CAPTCHA verification screens to deploy…

18 hours ago

State-Sponsored Hacktivism on the Rise, Transforming the Cyber Threat Landscape

Global cybersecurity landscape is undergoing a significant transformation, as state-sponsored hacktivism gains traction amid ongoing…

18 hours ago

NVIDIA Riva AI Speech Flaw Let Hackers Gain Unauthorized Access to Abuse GPU Resources & API keys

Researchers have uncovered significant security vulnerabilities in NVIDIA Riva, a breakthrough AI speech technology platform…

18 hours ago

Tsunami Malware Surge: Blending Miners and Credential Stealers in Active Attacks

Security researchers have recently discovered a sophisticated malware operation called the "Tsunami-Framework" that combines credential…

18 hours ago

The Double-Edged Sword of AI in Cybersecurity: Threats, Defenses & the Dark Web Insights Report 2025

Check Point Research's latest AI Security Report 2025 reveals a rapidly evolving cybersecurity landscape where…

19 hours ago