Tuesday, November 12, 2024
HomeCyber AttackTelegram - New Market Place for Selling Phishing Toolkits & Services

Telegram – New Market Place for Selling Phishing Toolkits & Services

Published on

Malware protection

Telegram is becoming an increasingly popular platform for users as well as cyber-criminals. It has become a Mini Dark-web since 2021 when cyber threat actors have been using them.

The services these threat actors offer vary from Automation of Phishing, selling Phishers kits, and setting up a custom phishing campaign for everyone willing to pay.

To promote their stuff, these phishers create Telegram channels where they conduct polls, train their audience, and provide choices on what kind of personal data they prefer. 

- Advertisement - SIEM as a Service

Channel links are circulated via GitHub, YouTube, and the Phishing links they make. A detailed analysis of their pricing, services, and other information is listed below.

Offers Now: Telegram Black Market

These threat actors’ services are categorized into two “Paid” and “Free”. Telegram bots help many legitimate users automate regular tasks, answer customer FAQs, set reminders, etc. However, threat actors use the bots for phishing page creation or user data collection.

Creating a phishing page with a telegram bot involves the following steps,

  • Aspiring phisher joins a bot creator’s channel
  • Choose the language (English / Arabic)
  • Bot asks the phisher to create their bot and share its token with the current bot, which they call “Botfather.”
  • After sharing the token, the botfather generates many fake pages, all with the same domain.

Once the Botfather creates the phishing links, the phisher has to spread the link himself. 

Every time there is a victim to these phishing pages, the phisher will receive a message on his bot for which he shared the token with the botfather. 

The message will contain which link the victim visited, his IP address, and the credentials he entered.

Some bots that generate phishing pages slightly differ from links-generating bots that will initially ask for the service to replicate, such as Dropbox or Google. 

Following this, it asks the phisher to enter the link that he wants the users to redirect to once they have fallen for the phishing page, which will typically be a Google homepage. Once the options are given, it generates multiple links containing the same service replicated on all the generated links. 

The victims’ credentials will be received directly on this phishing bot on Telegram.

The basic phishing kit offers a service that forwards the required data into a utility with predefined packages available. 

After this, they have a script inside the phishing pages that will forward the stolen data to the bot to which the links are configured. Other information includes the chat identifier token and the URL to which the links have to redirect.

Mysterious question: Why the developer can’t configure this page to send a copy to his server is still unanswered.

These phishers are sometimes so generous that they post a link containing the resource for phishing pages of various brands and are ready-to-use templates.

Subscribers of these channels also frequently see links containing stolen personal data. They also tag these links as verified or not verified data. “YELLOW LIGHT DATA” stands for unverified data.

The research found that threat actors sold bank account credentials based on the available balance. For instance, a bank account with $1,400 was sold at $110, but an account worth $49,000 was sold at $700.

Phishing-As-A-Service (PhaaS)

Like SaaS or PaaS, Phaas (Phishing as a service) is also becoming increasingly popular. SaaS offers Software as a service; likewise, these malicious actors were found to offer “premium” subscriptions for the newbie phishers. This service includes guides for beginners, access to phishing tools, and technical support.

Sometimes, these threat actors mention that they have anti-bot systems, URL encryption, geoblocking, and other exciting features useful for attackers. When I looked closer, they contained scripts blocking web crawlers and other phishing detectors.

These kinds of pages differ in prices with different vendors ranging from $10 per copy to $50 for a several-page archive. Some exclusive featuring pages like 3-D secure support go up to $300.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...