When Telegram CEO, Pavel Durov, was arrested in August of 2024 it put the spotlight on the criminal use of third-party platforms. The arrest came because of what officials believed to be a lack of moderation and cooperation from Telegram in fighting crimes against children. While crimes of this nature should remain a top priority for authorities, countless other transgressions are also facilitated using the Telegram platform, including phishing.
INKY’s Catch – A Telegram Bot Enabled Phishing Scam
Telegram Messenger, known simply as Telegram, is a cloud-based, multi-platform social media and instant messaging (IM) service. INKY discovered an increase in the use of HTML attachments that abuse Telegram bots in phishing attacks. Telegram bots are automated API-driven programs that run inside Telegram, performing tasks like sending messages, retrieving information, or interacting with users. While Telegram is not designed for criminal activities, its focus on privacy and flexibility appeals to those looking for ways to avoid detection or prosecution.
In this phishing scam recipients received an email with an HTML attachment. The attached file name uses the local part of the recipient’s email address, in other words, everything before the @ symbol.
Clicking on the HTML attachment isn’t “dangerous” (no data is harmed, manipulated, or stolen). However, the HTML attachment builds a local website that’s only accessible to the recipient's browser (the file isn’t hosted on a public server). The page mimics a legitimate Microsoft login page and uses a form to collect credentials from the user.
The form (with id="voicemailForm") captures the recipient's email and password when they press the "Sign in" button.
Instead of submitting the data to a legitimate Microsoft server, it triggers a JavaScript (jQuery) event that sends the email, password, and the user's IP address to the attacker via a Telegram bot.
The bot's details are stored in the variables chatId and apiToken, which direct the stolen data to the attacker's Telegram account.
The script fetches the user's public IP address using the service https://api.ipify.org?format=json and includes this IP address in the message sent to the attacker.
Why Bad Actors Record IP Addresses
Bad actors record IP addresses for several reasons, usually to gain information or exploit vulnerabilities. Here's why they might do this:
1. Tracking and Identification
-
Location Information: While IP addresses don't give exact home addresses, they can often reveal the general geographic location of the user (city, region, or even the country). This helps attackers profile their victims.
-
Targeting Specific Regions: Some cybercriminals focus on users from specific regions due to the availability of exploit methods, legal differences, or even language.
2. Launching Attacks
-
DDoS (Distributed Denial of Service) Attacks: With a known IP address, attackers can flood the target system or network with traffic, causing it to slow down or crash.
-
Port Scanning: IP addresses can be used to scan for open ports or services that might have vulnerabilities. Once identified, these can be exploited for unauthorized access.
3. Anonymity Exposure
-
Bypassing Anonymity Tools: Some people use VPNs or proxies to hide their real IP addresses. However, if an attacker can obtain the actual IP address, they can compromise the user's anonymity, making them more vulnerable to surveillance or targeting.
4. Exploiting Vulnerable Devices
-
Access to IoT Devices: Many Internet of Things (IoT) devices are not properly secured and can be directly targeted by attackers if their IP addresses are known.
-
Exploiting Routers or Firewalls: Poorly configured routers or firewalls can be accessed or exploited through known IP addresses, allowing attackers into local networks.
5. Credential Stuffing and Brute Force Attacks
-
Login Attempts: Bad actors may use the IP to perform brute force attacks (guessing passwords) on systems where they know the target’s IP, such as private servers, home routers, or web applications.
6. Social Engineering and Phishing
-
Tailored Phishing Attacks: With an IP address, an attacker can guess or learn more about a target (ISP, location, potential organizations or companies) and create more convincing phishing schemes.
IP addresses act as a starting point for further reconnaissance or direct attacks. While an IP address alone doesn’t give full control or deep personal information, it opens the door to a range of tactics for exploitation.
—--------------------------------------------------------------------------------------------------------------
After the recipient clicks Sign in, the data is sent and a fake error message appears that says, "incorrect password press ok to try again.!" to make the recipient believe their credentials were wrong, potentially causing them to enter it again or continue interacting with the malicious site.
If this attack is successful, the bad actor has extracted recipient’s login credentials and IP addresses which can be used for further malicious purposes like an account takeover or more phishing attacks.
Why Criminals Choose Telegram
There are a number of reasons why Telegram became the platform-of-choice when it comes to unlawful activity, including:
End-to-End Encryption (Secret Chats): Telegram offers end-to-end encryption in its "Secret Chats," ensuring that only the sender and recipient can read the messages. These chats also provide the option for self-destructing messages after a set time, adding another layer of privacy that makes it difficult for law enforcement to track conversations.
Anonymity: Telegram allows users to create accounts without providing extensive personal information. Users can sign up with just a phone number, and they don’t need to share other details like their real names or email addresses. This level of anonymity makes it harder to identify individuals behind accounts.
Large Group and Channel Features: Telegram supports the creation of large groups (up to 200,000 members) and channels, which can be used to broadcast messages to an unlimited number of subscribers. These features make it easy for criminals to share information, coordinate activities, or distribute illicit content on a large scale.
File Sharing: The platform allows users to send and receive files of up to 2GB in size, which can be used to distribute pirated content, malicious software, or illegal documents.
Lack of Strict Moderation: Telegram has historically been less aggressive about moderating content compared to some other social media platforms. While the company has taken steps to address certain illegal activities, like terrorism or child exploitation, some criminal groups may still see it as a more lenient platform.
Access to Public and Private Channels: Many criminal networks use Telegram channels and private groups to communicate, sell illegal goods or services (such as drugs, counterfeit documents, or hacking tools), or even share insider information. These channels often go under the radar due to the sheer volume of content and the ability to keep them private or restricted.
Cross-Platform Access: Telegram is available across multiple platforms—mobile, desktop, and web—which provides flexibility for users to communicate from any device. This adaptability can make it more convenient for criminal organizations to coordinate globally.
Obscurity in Jurisdictions: Telegram has occasionally found itself at odds with governments attempting to regulate or ban it. In some cases, the platform resists complying with government surveillance requests, and this perceived resistance to government intervention can make it appealing to criminals seeking to evade detection.
Encrypted Cloud Storage: All non-secret chats on Telegram are encrypted and stored in the cloud, allowing access from multiple devices. Although not end-to-end encrypted by default, the platform’s secure cloud infrastructure can still make it challenging for authorities to access information, especially if they don't have Telegram's cooperation.
Recap of Phishing Techniques
Credential Harvesting — occurs when a victim tries to log into what they think is Microsoft’s website but enters credentials into a form controlled by bad actors.
HTML Smuggling — evading detection by hiding malicious code in HTML attachments.
Best Practices: Guidance and Recommendations
- Use your browser’s address bar to confirm that you’re on a website instead of a local file.
- Don’t open attachments from unknown senders
Following his arrest, Telegram CEO Pavel Durov said that his personal goal was to ensure his company made significant improvements in regard to stopping those with criminal intent from abusing the Telegram platform. While our hope is that phishing threats leveraging Telegram will cease, there are certainly no promises. Until then, to truly have a handle on phishing threats such as these, you need assistance from a third-party email security expert.
INKY offers a relentlessly effective level of security, capable of detecting and stopping phishing threats before anyone becomes a victim. Using computer vision, artificial intelligence, and machine learning, INKY provides a level of ingenuity that is unlike other email security platforms. INKY sees things the way humans do, recognizing logos, brand colors, email signatures, and more — but it also sees the millions of things humans can’t, spotting imposters by as little as a pixel.
See what INKY can do for your business and your customers. Schedule a free demonstration today.
----------------------
INKY is an award-winning, behavioral email security platform that blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.