Telegram is the new marketplace for tools, infrastructure, tutorials, stolen data, and everything else scammers need to conduct a phishing operation, researchers at Guardio said in a recent report.
With tools and information once confined to the invite-only dark web forums now easily accessible, the barrier to entry for cybercriminals is dramatically lower.
“Unfortunately, with just a small investment, anyone can start a significant phishing operation, regardless of prior knowledge or connections in the criminal underworld,” Guardio researchers Oleg Zaytsey and Nati Tal said in their report.
For as little as $230, the researchers detailed how scammers can source various tools and services on Telegram to launch a mass phishing attack.
The Dark Market Ecosystem on Telegram
As far back as 2019, researchers have warned that cybercriminals are migrating from the dark web to Telegram amid an intense crackdown on dark web marketplaces.
There are numerous public channels, groups, and bots on Telegram — with thousands of members — dedicated to cybercrime, the researchers said. These spaces feature a cascading flow of messages presenting a wide range of products and services, helpful tips, and insights that previously required extensive searching to find on the dark web.
Guardio’s investigation highlights Telegram facilitates the entire lifecycle of phishing operations, from the sale of scam pages mimicking reputable companies to hosting solutions for these phishing pages. There are even “VIP” packages for beginner scammers, which include several phishing tools and services along with tutorials on how to use them.
This illegal ecosystem on Telegram allows cybercriminals to launch phishing campaigns targeting millions.
Bank of America Phishing Experiment
To demonstrate the availability of phishing tools on Telegram, Guardio researchers recreated a popular phishing scam that baits victims with a fake Bank of America login page.
They found a thriving market on Telegram for a range of pre-built phishing pages spoofing various brands, with prices ranging from $10 for basic ones to $800+ for advanced designs that include two-factor authentication bypass and “real-time account hijacking automation,” the report said.
There are various options for hosting such scam pages, the researchers said. There are “offshore” bulletproof hosting providers known for hosting malicious content without interruption. Ultimately, they settled on web shells that allow scammers to host their pages on compromised reputable websites.
To spread these scam pages, the researchers showed how cybercriminals can easily find hacked SMTP credentials, backdoor mailers, and mass mailer services on Telegram. These services allow scammers to send hundreds of thousands of phishing emails daily.
And to craft a convincing phishing email, the researchers purchased pre-designed “Letters” from Telegram. These are expertly branded templates designed to bypass spam filters and appear authentic, often employing techniques like content randomization, invisible characters, and embedded analytics.
They also acquired a substantial list of relevant email addresses, or “leads,” from Telegram. For $200, the researchers purchased a dataset containing information about 100,000 Bank of America customers.
With this, they could send phishing emails containing the fake Bank of America login page. And some victims clicked the link.
“Our efforts soon start to bear fruit. Victims fall for the trap, clicking on the link, and some even proceed to log into the fraudulent bank site — our scampage. Once they do this, their bank accounts become compromised,” the researchers said in their report.
Smaller-scale scammers usually sell compromised account logins to bigger, more organized criminal groups, who use this data in other illegal schemes.
How to Protect Yourself From Phishing Attacks
Phishing attacks are becoming increasingly sophisticated and harder to detect. However, age-old phishing prevention measures can protect you.
- Be wary of unsolicited messages and emails, especially those that prompt immediate action or contain links and attachments. If you’re in doubt, verify the authenticity of a message by contacting the sender through official channels.
- Use reliable antivirus software that offers real-time protection against phishing and malware.
- Regularly update and patch all software to mitigate vulnerabilities.
- Use strong, unique passwords for different accounts and enable multi-factor authentication wherever possible to add an extra layer of security. Ideally, use a trusted password manager like NordPass.
- Keep an eye on your personal and financial information online.
We also recommend using a top-tier VPN (virtual private network) to protect your internet traffic from prying eyes. NordVPN is our top-rated VPN service, and it comes with real-time Threat Protection, which shields you from phishing sites, malware, and other online threats. It even scans your device for vulnerabilities that threat actors can exploit.
Organizations should prioritize cybersecurity awareness training for their employees, focusing on the latest phishing tactics and how to recognize them. Training should include simulations of phishing attacks to test and reinforce learning.
For more news, follow us on X (Twitter), Threads, and Mastodon!
