On Telegram, cybercriminals can find all the bait they need to set up and deploy sophisticated phishing campaigns against a wide net of unwitting targets. In this final installment of our series exploring Telegram’s cybercriminal underworld, we explore the platform’s illicit market for phishing tools and services.

In this fourth and final installment in our series exploring Telegram’s cybercriminal underworld, we will examine the thriving market for phishing tools and services on the platform.

In a phishing attack, the attacker employs social engineering tactics, impersonating a legitimate and trusted provider, brand or person in order to solicit personal data and credentials from their target. Within the cybercriminal ecosystem of chats and channels on Telegram, threat actors freely transact a variety of tools and services needed to conduct phishing campaigns, including phishing kits, spamming tools, contact lists and bespoke phishing pages, customized to the buyer’s request.

Figure 1: Organizations Most Commonly Mentioned in the Context of Phishing Tools and Services on Telegram

Let’s take a closer look at the various phishing tools and services advertised for sale on Telegram.

 

Phishing Templates

The most basic phishing-enablement tool sold on Telegram’s cybercriminal underground is the template for a phishing landing page, known as a “scam page.” These scam page templates comprise the fraudulent webpage design imitating the pages of credible and trusted brands. Actors that purchase these templates then need to develop their own backend infrastructure and distribution functionality.

The screenshot below provides an example of the phishing templates advertised for sale on Telegram, in this case, imitating pages belonging to popular US banks:

Figure 2: Phishing templates impersonating US banks

Similarly, this second post advertises phishing templates for several well-known brands, offering the added option of purchasing tutorials for setting up the page as well as comprehensive ‘spamming lessons’ for phishing campaign deployment and execution:

Figure 3: Phishing templates for well-known brands

 

Phishing Kits

A phishing kit is a package set of tools and utilities comprising all the necessary components – source codes, images, scripts, etc. – needed to build and launch a phishing attack. These kits include not only the frontend elements (the phishing page itself) but also the ready-made administrative backend code attackers need to manage the attack and exfiltrate the stolen data to a dedicated server.

The example below shows the components of a phishing kit offered for sale by an anonymous Telegram user, including phishing page templates, backend administrator panels, and pre-written phishing emails, in a “ready to send” package threat actors can buy and deploy against users of various popular services, including financial solutions, streaming services, and social media platforms:

Figure 4: Ready-made phishing kits including backend panels

Due to its ubiquity, Office365 is a heavily targeted brand for phishing impersonation campaigns. The sampled post below advertises a phishing kit targeting the Microsoft Office service, containing a fake login page designed to harvest victims’ usernames and passwords, as well as a ‘cookie grabbing’ feature, which allows attackers to access user accounts and credentials through session cookies stored in the web browser. The kit also includes an admin backend panel for managing the campaign:

Figure 5: Screenshot of scam page imitating a legitimate Office365 login interface
Figure 6: Phishing kit impersonating Microsoft Office365, including added ‘cookie grabber’ functionality

 

Bespoke Phishing Services

For actors with a deeper pocket, who are willing to invest a more substantial sum in order to execute phishing campaigns of a higher quality, Telegram’s market for bespoke phishing services is the place to look. In the post pictured below, the author advertises bespoke “page coding services”, claiming to be capable of coding “mostly anything you want”. The anonymous actor offers customized, bespoke phishing campaigns for dissemination over email, Telegram, and IRC, promising a scam page identical to that of the impersonated brand and inviting interested buyers to view and test his or her existing portfolio of scam pages:

Figure 7: Bespoke phishing services advertised on Telegram

 

Spamming Tools

Once the scam page and backend panel infrastructure has been set up, the attacker then needs to deploy the campaign against potential victims, disseminating spam messages designed to coax recipients to open the malicious link to the phishing landing page. Deployment of the phishing campaign usually involves the use of spamming tools, designed to blast out phishing messages to massive contact lists over media platforms, such as email, SMS, or messaging apps.

On Telegram, actors can find an abundance of spamming tools and services for sale, as well as contact lists replete with potential targets, known as “leads.”

In this example below, an anonymous Telegram user offers email and SMS sending services, as well as reverse IP lookups – used to generate leads. The actor also offers to craft and design the phishing message for dissemination:

Figure 8: Email & SMS spamming sender tools advertised on Telegram

In this second sample, another unknown Telegram user advertises SMS and emailing spam tools that include a customization functionality, allowing the buyer to change the sender name:

Figure 9: Customizable SMS sender offered for sale on Telegram

This third example advertises an SMS spamming service. For 400 GBP setup and 0.03-0.045 EUR per SMS, attackers can send spam messages that appear to originate from a UK area code:

Figure 10: SMS spammer using UK area code numbers

Finally, in this fourth post, the author offers pre-packaged spamming lists (leads), with contact information for tens of thousands of potential targets:

Figure 11: Packaged spam leads with contact information for tens of thousands of targets

Conclusion

Telegram provides the perfect platform for threat actors to anonymously trade phishing tools and services in bulk. However, like all items sold over Telegram, this ease of use is sometimes undermined by the questionable quality of the items. On underground forums and markets, sellers build reputations over time, and buyers are protected through various mechanisms, including escrow services. No such guarantees are provided on Telegram.

As such, cybercriminals looking to buy phishing tools and services on Telegram ought to be wary; while they might think that they are purchasing a quality tool to scam others, they might end up falling victim to a scam themselves!

Still, despite these problems relating to questionable quality-assurance, Telegram offers significant advantages for cybercriminals looking to transact illicit goods, tools and services, by virtue of its ease-of-use, encryption and anonymity. Therefore, we anticipate that Telegram will remain a popular platform within the cybercriminal underground.