Jump to content

Fraudsters Using Telegram API to Harvest Credentials


Recommended Posts

Fraudsters Using Telegram API to Harvest Credentials

Phishing Campaign Bypasses Secure Email Gateway



Credentials are posted to the Telegram API and the user is redirected. (Source: Cofense)


A recently discovered phishing campaign attempted to steal victims' credentials by abusing the Telegram messaging app's API to create malicious domains that help bypass security tools such as secure email gateways, according to researchers at security firm Cofense.


This particular phishing attack appeared active in mid-December 2020 and has since stopped. The targets of these malicious emails mainly worked in the U.K. financial services sector, Cofense notes.


While the Telegram application offers secure, encrypted communication channels for its users, the Cofense report notes that the service also offers API options that can allow users to create programs that use the app's messages for an interface. In this case, the fraudsters used the APIs to create realistic-looking phishing domains that bypassed security tools.

"For this particular campaign, they spoofed an email account that appeared to an internal user as legitimate," says Jake Longden, a threat analyst at Cofense. "Then they used a domain as the site for the URL redirection that most likely at the time wasn't a known bad site, but which is now classified as malicious."


Telegram is an encrypted messaging app that has more than 500 million monthly active consumer and business users. Normal messages are not fully encrypted, but Telegram has an advanced service with end-to-end encryption.

How Phishing Attacks Worked

The targets of this particular campaign were sent phishing emails that appeared to come from an internal source, with addresses such as "[email protected]," but which actually originated with a source outside the organization, according to the report.


The phishing emails typically come with an urgent message alert in the subject line, such as "Review All Pending Messages," which is designed to get the potential victim to open the message, Cofense notes.

"The user is presented with a notice advising that they have messages to review. The bold and large title attracts attention, and is followed by further information to clarify the purpose of the email, according to the report. "Then there’s a button for the user to click to 'Release All' the blocked emails to their inbox."


If the targeted victim clicks the link to inspect the messages, they are led to a malicious domain that is created from the Telegram API and designed to look like a webmail login page that asks for credentials, according to the report. The webpage also pulls in the user's email address from the URL to give it another layer of legitimacy.


After the user's password and other credentials are harvested, the information is then sent to the Telegram API created by the fraudsters, while the victim receives a message that the account has been updated, Cofense notes.

"Once the malicious domain has been identified, it can be blocked. However, by utilizing the Telegram API, the threat actor is working to circumvent interference," according to the report. "They're complicating methods for removing stored credentials that have been harvested, and can view and access these credentials at their convenience on a page they control."

Telegram Abuse

Other security researchers have found cases in which fraudsters and cybercriminals are abusing other features found in Telegram for their own purposes.


In September 2020, security firm Malwarebytes found that some fraudsters had started using Telegram as a way to sweep up payment card data from victims using Base64 encoding strings in conjunction with a bot (see: Fraudsters Use Telegram App to Steal Payment Card Data).


Researchers with Juniper Threat Labs found hackers targeting victims by using a Trojan, which then created a secure Telegram channel to send data back to the attackers' command-and-control server, according to a September 2019 report.



Source: Fraudsters Using Telegram API to Harvest Credentials

Link to comment
Share on other sites

  • Replies 0
  • Views 226
  • Created
  • Last Reply

Top Posters In This Topic

  • mood


Popular Days

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...