Telegram is a Wide-Open Marketplace for Phishing Tools – Source: securityboulevard.com

The encrypted messaging app Telegram has become a veritable marketplace for bad actors who want to launch effective phishing campaigns on the cheap, essentially democratizing the cyberthreat, according to researchers at cybersecurity firm Guardio.

Where once the various parts that make up a phishing attack – the kits, infrastructure, and expertise – could be had on invite-only forums on the dark web after navigating through various Tor Onion networks, now they can be easily found through simple searches on Telegram.

“This messaging app has transformed into a bustling hub where seasoned cybercriminals and newcomers alike exchange illicit tools and insights creating a dark and well-oiled supply chain of tools and victims’ data,” Guardio security researcher Oleg Zaytsev and Nati Tal, head of Guardio Labs, wrote in a report this week. “Free samples, tutorials, kits, even hackers-for-hire – everything needed to construct a complete end-to-end malicious campaign.”

It’s part of a larger trend in the cybercrime landscape of ransomware, distribute denial-of-service, and other threats as a service, with threat groups offering their tools for sale or rent to affiliates who take the lion’s share of the ill-gotten gains. As-a-service cybercrime enables even low-skilled hackers to access to the tools necessary for launching relatively sophisticated campaigns.

One-Stop Shopping

In this case, Telegram becomes the place where anyone can shop for the phishing tools they need, according to the Guardio researchers. It has been downloaded more than 1 billion times, with more than 464 million downloads last year. It has more than 800 million monthly users, so its reach is massive.

What Guardio found was that this massive network is also an increasingly popular shopping site for everything a cybercriminal could want.

“It’s startling how easily one can stumble upon these digital marketplaces on Telegram,” Zaytsev and Tal wrote. “Public channels, groups, and bots bustling with thousands of participants, where messages cascade continuously showcasing various products and services, tips and tricks, and knowledge you once had to dig deep into the dark web even to get close to.”

Sellers build reputations among the buyers and offer various deals, like free samples, trial versions, customer support, and money-back guarantees, “terms previously associated with legitimate businesses, signifying the emergence of a real industry with substantial financial stakes,” they wrote.

Word is Getting Around

Other cybersecurity vendors have seen the migration of tools for phishing and other threats to Telegram. Kaspersky researchers in a report last year wrote about how the messaging tool has become popular for phishing among bad actors.

“They have become adept at using Telegram both for automating their activities and for providing various services — from selling phishing kits to helping with setting up custom phishing campaigns — to all willing to pay,” they wrote. “To promote their ‘goods,’ phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, ‘What type of personal data do you prefer?’. Links to the channels are spread via YouTube, GitHub and phishing kits they make.”

Analysts with cybersecurity company ESET last year wrote about hackers using a new toolkit, dubbed Telekopye, that operates as a Telegram bot that helps scammers run phishing campaigns, including writing phishing emails and text messages.

Also last year, Aura, whose app offers online protection for devices, outlined almost a dozen Telegram app scams, including phishing.

Phishing on a Budget

In their report, the Guardio researchers focused on what they could find for phishing attacks. For as little as $230, they were able to pull together a malicious campaign from what’s available on Telegram.

All the building blocks – phishing web page creation, ways to host the operation, an email sending system, message writing, finding valid and relevant email addresses to target, and ways monetize the credentials stolen in the campaign – were available on Telegram, all offered at a low price of for free.

These tools can be fairly sophisticated. Some of those for the phishing web page – the “scampage” – have features for getting around two-factor authentication protection, for automating the hijacking of the account, and for customizing the page.

There are multiple options to choose from for hosting, sending phishing emails – like hacked credentials and backdoor mailers – data for finding email and phone numbers to target, and for making money from what’s been compromised and stolen.

One way that’s happening is when organized criminal groups buy credentials – called “logs” by bad actors – that have been stolen by small-scale scammers. The logs aren’t expensive: social media account credentials can be bought for as little as a dollar, though banking accounts and credit can go for hundreds of dollars.

Zaytsev and Tal also noted that phishing campaign tools often come from legitimate websites, services, or accounts that are compromised

“This situation highlights a dual responsibility for site owners,” they wrote. “They must safeguard not only their business interests but also protect against their platforms being used by scammers for hosting phishing operations, sending deceptive emails, and conducting other illicit activities, all unbeknownst to them.”