Telegram has been gaining popularity with users around the world year by year. Common users are not the only ones who have recognized the messaging app’s handy features — cybercrooks have already made it a branch of the dark web, their Telegram activity soaring since late 2021.
The service is especially popular with phishers. They have become adept at using Telegram both for automating their activities and for providing various services — from selling phishing kits to helping with setting up custom phishing campaigns — to all willing to pay.
To promote their “goods”, phishers create Telegram channels through which they educate their audience about phishing and entertain subscribers with polls like, “What type of personal data do you prefer?”. Links to the channels are spread via YouTube, GitHub and phishing kits they make.
This story covers the variety of phishing services available on Telegram, their details and pricing, and ways of detecting phishing content that originates in Telegram.
After reviewing phishers’ Telegram channels that we detected, we broke down the services they promoted into paid and free.
Functional and configurable, Telegram bots help private users and businesses with automating many routine workflows, such as searching for and retrieving information on schedule, answering frequently asked questions from customers, setting up reminders and many others. Malicious actors use Telegram bots to automate illegal activities, such as generating phishing pages or collecting user data.
The process of creating a fake website with a Telegram bot typically includes the following steps:
The wannabe phisher joins the bot creator’s channel.
As a rule, the bot offers to select a language once started. In the example below, the bot speaks English and Arabic.
Starting a Telegram phishing bot
Phishing bot asking the user to set up a new bot and share the token
List of off-the-shelf pages in the same domain
Distributing the links is something the wannabe phisher has to do without any help from the bot. If a visitor enters their credentials on the fake page, a notification will be sent to the chat with the bot that our beginning scammer created while generating links to the fake page. The notification will typically contain the phishing link, the victim’s credentials, the name of the country that they logged in from, the country code and the IP address of the device that was used.
Message with the stolen data received by the phisher
Bots that generate phishing pages may differ slightly. For instance, before generating phishing links, one particular bot offers to select a service to mimic and enter a URL the victim will be redirected to after trying to log in. The latter is typically the Google home page or the main page of the service that the phishing page imitates. Once a URL is entered, the bot will generate several scam links targeting users of the service. In this case, victims’ credentials will be sent directly to the phishing bot.
List of services suggested by the bot
What are these fake pages that are so easy to generate? A victim who clicks a link in a message that promises, say, 1,000 likes in TikTok will be presented with a login form that looks like the real thing. The page typically contains nothing besides that form. We filled in the login and password fields in the screenshot below.
Fake TikTok login page generated by the phishing bot
From an engineering standpoint, this is a rather primitive product of a basic phishing kit. When a scammer requests a phishing page from a Telegram bot, it forwards the request along with all required data to a utility that assembles pages from predefined packages and returns hyperlinks. To forward the stolen data to the bot, phishing kits include a script into which the token of the bot that receives user credentials, Telegram bot chat identifier and a URL to redirect the user after entering their credentials will be inserted. Some scripts may lack the URL field.
Script to configure stolen data forwarding to the Telegram bot
By the way, there is no reason why the developer of a phishing kit cannot configure it to grab a copy of the data obtained by the unsuspecting newbie phisher.
Scammer-operated Telegram channels sometimes post what appears to be exceptionally generous offers, for example, zipped up sets of ready-to-use phishing kits that target a large number of global and local brands.
Archive with phishing kits posted in a Telegram scam channel
Contents of a free phishing kit archive
Phishers also share stolen personal data with their subscribers, tagging it with information on whether it was verified or not. “Yellow light data” in the screenshot below stands for “unknown data quality”. This is probably an allusion to the yellow traffic light.
Files containing free credentials of US and Russian users
Why would scammers so generously share valuable data with others instead of using it for their own benefit? One reason is that any free content or manuals so willingly distributed by scammers to their Telegram audience serve as bait of sorts for less experienced phishers to bite. Newbies get a taste of what phishing tools can do, pull off their first scam and wish for more, which is when they will be offered paid content.
Another reason is recruiting an unpaid workforce. As mentioned above, the creators of phishing bots and kits can get access to data collected with tools they made. To attract larger audiences, scam operators advertise their services, promising to teach others how to phish for serious cash.
Ad for a Telegram channel offering phishing content
Besides free phishing kits and bot-powered scams, Telegram fraudsters offer paid phishing pages and data, as well as phishing-as-a-service (PhaaS) subscriptions. The service may include access to phishing tools, as well as guides for beginners and technical support.
Malicious actors offer “premium” phishing and scam pages for sale. Unlike the primitive copies of popular websites, these offers include pages built from scratch with a range of advanced capabilities or tools for generating such pages. For instance, a “premium” page may include elements of social engineering, such as an appealing design, promises of large earnings, an anti-detection system and so on.
Scam pages offered for sale in Telegram
In the screenshot below, the seller promises that each of their “projects” has an anti-bot system, URL encryption, geoblocking and other features that attackers will find useful. The seller goes on to offer custom phishing pages that can include any components requested by the customer.
The seller’s description of advanced phishing page functionalities
After looking closer at these offers, we found that they do contain scripts to block web crawlers and anti-phishing technology. Therefore, these projects are essentially complex or advanced phishing kits.
Contents of a phishing kit archive with an anti-bot system
“Premium page” vendors update their anti-bot systems regularly, so the phishing contents could remain undetected and thus, usable.
Phishing page vendor announcing the anti-bot system has been updated
Prices for this kind of fake pages differ, with some vendors asking $10 per copy, and others charging $50 for an archive with several pages in it. A package that includes less frequently offered features, for example, 3-D Secure support, and assistance with configuring a fake website, may cost up to $300.
Scam page with 3-D Secure support offered for $280
Online banking credentials obtained through phishing techniques are often offered for sale too. Unlike the free data mentioned above, these have been checked, and even the account balances have been extracted. The higher the balance, the more money scammers will typically charge for the credentials.
For example, the same Telegram channel offered the credentials for a bank account with $1,400 in it for $110, whereas access to an account with a balance of $49,000 was put up for $700.
Offer of credentials for an account with a balance of $1,400
Offer of credentials for an account with a balance of $49,000
In addition to one-time sales of phishing kits and user data, scammers use Telegram channels to sell a range of subscriptions with customer support included. Support includes providing updates on a regular basis for the phishing tools, anti-detection systems and links generated by the phishing kits.
An OTP (one-time password) bot is another service available by subscription. Legitimate services use one-time passwords as a second authentication factor. Many organizations enforce a two-factor authentication (2FA) requirement these days, which makes it impossible to hijack an account with just the login and password. Phishers use OTP bots to try and hack 2FA.
The bots call users, posing as the organization maintaining the account that the phishers are trying to hack, and convince them to enter a 2FA code on their phones. The calls are fully automated. The bot then enters the code in a required field, giving the phisher access to the account.
List of OTP bot features and benefits
According to a bot vendor we talked to, a weekly subscription with unlimited calls will set a beginning scammer back $130, while a monthly subscription including bot customization costs as much as $500.
Our chat with the vendor about OTP bot pricing
Another OTP bot is offered on a pay-per-minute, prepaid basis. Rates start at $0.15 per minute depending on the destination. The bot can record calls and store settings, such as the victim’s phone number, name and so on.
OTP bot interface: the victim’s name and phone number, service name and language are required for setting up a call
A customer who shares this information with the bot creators, along with a screenshot showing the victim’s account number, balance and other details, may be rewarded with a small amount added to their OTP bot balance: $5 for two units of information and $10 for three or more.
Some PhaaS vendors take their customers’ trust seriously. In the screenshot below, you can see assurances that all data obtained with paid tools is reliably encrypted, so that neither the vendor nor any third parties can read it. All these vendors want is their customers to remain loyal.
PhaaS vendor explaining to customers that all their data is reliably encrypted
Despite phishers who offer their services in Telegram use many ways to avoid blocking, our systems detect their fake sites with maximum precision, adding them to our databases.
Malicious sites generated by phishing bots are either hosted in the same domain, or share parts of HTML code, or both. This makes it easy for our cyberthreat detection technology to discover them.
In the above example of a bot generating phishing pages the same domain was used to host fake websites that mimicked those of various legitimate organizations. We have detected a total of 1483 attempts to access pages located in that domain since it emerged.
Kaspersky anti-phishing detection statistics for a domain linked to a phishing bot, December 2022 through March 2023 (download)
Since many off-the-shelf phishing solutions offered on Telegram are basic or complex phishing kits, here are some relevant detection statistics on those. In the last six months, our technology has detected 2.5 million malicious URLs generated with phishing kits.
Number of detected malicious URLs generated with phishing kits, October 2022 through March 2023 (download)
We prevented 7.1 million attempts by users to access these malicious sites within the same period.
Kaspersky anti-phishing detection statistics for pages generated with phishing kits, October 2022 through March 2023 (download)
Wannabe phishers used to need to find a way onto the dark web, study the forums there and do other things to get started. The threshold to joining the phisher community lowered once malicious actors migrated to Telegram and now share insights and knowledge, often for free, right there in the popular messaging service.
Even the laziest and most cash-strapped can use Telegram bots offered by channel owners to generate phishing pages and obtain data stolen from their victims. Some attackers upload archives with data for anyone to make use of. An aspiring phisher who wishes to generate a greater variety of content can download phishing kits that target a wide range of organizations.
Scammers use an array of free offers to promote paid services. They are also likely manipulating newcomers into using their free phishing kits and bots, which can potentially share stolen data with their creators.
The more solvent audience are offered to pay for phishing pages with geoblocking functionality and regularly updated anti-bot systems, which are harder to detect than those generated with basic phishing kits and bots. Prices range from $10 to $300 and depend on the feature set. Phishers also sell stolen online baking credentials and offer OTP bots subscriptions that can be used to bypass 2FA.
A detailed review of available offers on Telegram phishing channels suggests that the bulk of these consists of phishing kits, which our technology successfully blocks: over the last six months, we have detected 2.5 million pages generated with phishing kits.