Telegram has become the working ground for the creators of phishing bots and kits looking to market their products to a larger audience or to recruit unpaid helpers.
While the messaging platform has been used for cybercriminal activities for several years, it appears that threat actors in the phishing business have started to rely on it more lately.
A trend has been observed by researchers at cybesecurity company Kaspersky, who found a community having formed around the increasingly popular topic of phishing.
From selling services to offering advice and free initiation instructions, phishing actors are extremely active on Telegram.
Phishing services offer
A report from Kasperksy notes that phishers sell all types of phishing material and services to interested buyers, including ready-made kits, fake pages, subscriptions to tools, guides, and technical support.
According to the researchers, the following services are being offered through Telegram right now:
- Free phishing kits with pre-packaged tools that allow users to create phishing pages imitating known brands.
Contents of a free phishing kit (Kaspersky)
- Automated (bot-based) phishing page creation and user data collection.
Options offered by an automated bot (Kaspersky)
- Premium phishing and scam pages with a customizable interface, anti-bot systems, geoblocking, URL encryption, and even social engineering elements. The cost of these kits ranges from $10 to $300, depending on their features.
Fake giveaway pages sold on Telegram (Kaspersky)
- Stolen personal data and online banking credentials which are often verified.
User data offered for sale (Kaspersky)
- Phishing-as-a-service (PhaaS) subscriptions that provide access to tools, beginner guides, technical support, and regular updates for the provided anti-detection systems.
- One-time password (OTP) bots that help phishers bypass 2FA (two-factor authentication) protections automatically. These services are offered on subscription models at an indicative price of $130/week, or $500/month for custom deployments.
OTP bot features promoted on Telegram (Kaspersky) OTP tool interface (Kaspersky)
Some vendors who care about their reputation sell kits that encrypt the stolen data so that neither them nor the operators can access the victim’s information without paying their share to the other party.
Kaspersky says that Telegram is also the place for aspiring scammers to become more familiar with the phishing business for free.
More experienced phishers create Telegram channels with bots that provide step-by-step instructions to generate a phishing page.
The process is fully automated and ends with generating links to fake websites registered by the bot controller that mimic popular brands and services.
The only thing left for the beginner phisher is to distribute the links and wait for the sensitive info from victims be forwarded to the bot.
With this setup, the experienced phisher grooms a potential customer and can also grab a copy of the data.
Offering the above through Telegram not only makes operations easier and more profitable for sellers, who now have the platform’s bots do all the work for them, but also lowers the barrier of entry for inexperienced threat actors or aspiring phishers, easing their access into this crime space.
Kaspersky says it has detected over 2.5 million malicious URLs generated using phishing kits in the past six months and prevented 7.1 attempted accesses by users of its products over the same period.
These figures reflect the massive scale of phishing operations. This growth is made possible by the uncontrolled proliferation of kits and services and the thriving business backing it on Telegram.