Threat actors focusing on phishing techniques have been increasingly using Telegram to automate their activities and provide various services.
The findings come from cybersecurity experts at Kaspersky, who described the new trend in a Wednesday advisory authored by web content analyst Olga Svistunova.
“To promote their ‘goods,’ phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls,” Svistunova explained. “Links to the channels are spread via YouTube, GitHub and phishing kits they make.”
Many channels observed by Kaspersky helped users automate malicious routine workflows such as generating phishing pages or collecting user data.
Technically speaking, the phishing kits presented as part of these campaigns were relatively primitive, as they generally included a script that receives user credentials and forwards them to the bot. Still, Svistunova said these campaigns were effective, nevertheless.
“What are these fake pages that are so easy to generate? A victim who clicks a link in a message that promises […] 1000 likes in TikTok will be presented with a login form that looks like the real thing.”
Kaspersky also noticed other Telegram channels used to sell online banking credentials.
“These have been checked, and even the account balances have been extracted,” reads the advisory. “The higher the balance, the more money scammers will typically charge for the credentials.”
Svistunova’s team also warned against Telegram channels advertising phishing-as-a-service operations.
“Scammers use Telegram channels to sell a range of subscriptions with customer support included,” she wrote.
“Support includes providing updates on a regular basis for the phishing tools, anti-detection systems and links generated by the phishing kits.”
Despite all the different techniques used by phishers on Telegram, Kaspersky said there are straightforward ways to spot them.
“Malicious sites generated by phishing bots are either hosted in the same domain, or share parts of HTML code, or both,” Svistunova wrote. “We have detected a total of 1483 attempts to access pages located in that domain since it emerged.”
The Kaspersky advisory comes roughly four months after a report by Cofense highlighted an 800% increase in the use of Telegram bots as exfiltration destinations for phished information between 2021 and 2022.