Fraudsters Using Telegram API to Harvest CredentialsPhishing Campaign Bypasses Secure Email Gateway
A recently discovered phishing campaign attempted to steal victims' credentials by abusing the Telegram messaging app's API to create malicious domains that help bypass security tools such as secure email gateways, according to researchers at security firm Cofense.
This particular phishing attack appeared active in mid-December 2020 and has since stopped. The targets of these malicious emails mainly worked in the U.K. financial services sector, Cofense notes.
While the Telegram application offers secure, encrypted communication channels for its users, the Cofense report notes that the service also offers API options that can allow users to create programs that use the app's messages for an interface. In this case, the fraudsters used the APIs to create realistic-looking phishing domains that bypassed security tools.
"For this particular campaign, they spoofed an email account that appeared to an internal user as legitimate," says Jake Longden, a threat analyst at Cofense. "Then they used a domain as the site for the URL redirection that most likely at the time wasn't a known bad site, but which is now classified as malicious."
Telegram is an encrypted messaging app that has more than 500 million monthly active consumer and business users. Normal messages are not fully encrypted, but Telegram has an advanced service with end-to-end encryption.
How Phishing Attacks Worked
The targets of this particular campaign were sent phishing emails that appeared to come from an internal source, with addresses such as "email@example.com," but which actually originated with a source outside the organization, according to the report.
The phishing emails typically come with an urgent message alert in the subject line, such as "Review All Pending Messages," which is designed to get the potential victim to open the message, Cofense notes.
"The user is presented with a notice advising that they have messages to review. The bold and large title attracts attention, and is followed by further information to clarify the purpose of the email, according to the report. "Then there’s a button for the user to click to 'Release All' the blocked emails to their inbox."
If the targeted victim clicks the link to inspect the messages, they are led to a malicious domain that is created from the Telegram API and designed to look like a webmail login page that asks for credentials, according to the report. The webpage also pulls in the user's email address from the URL to give it another layer of legitimacy.
After the user's password and other credentials are harvested, the information is then sent to the Telegram API created by the fraudsters, while the victim receives a message that the account has been updated, Cofense notes.
"Once the malicious domain has been identified, it can be blocked. However, by utilizing the Telegram API, the threat actor is working to circumvent interference," according to the report. "They're complicating methods for removing stored credentials that have been harvested, and can view and access these credentials at their convenience on a page they control."
Other security researchers have found cases in which fraudsters and cybercriminals are abusing other features found in Telegram for their own purposes.
In September 2020, security firm Malwarebytes found that some fraudsters had started using Telegram as a way to sweep up payment card data from victims using Base64 encoding strings in conjunction with a bot (see: Fraudsters Use Telegram App to Steal Payment Card Data).
Researchers with Juniper Threat Labs found hackers targeting victims by using a Trojan, which then created a secure Telegram channel to send data back to the attackers' command-and-control server, according to a September 2019 report.