Security researchers are shedding light on the “democratization” of the phishing ecosystem, highlighting Telegram as a central hub for cybercrime. Threat actors can orchestrate mass attacks for as little as $230, turning the messaging app into a vibrant space where both seasoned and novice cybercriminals exchange illicit tools and insights, creating a well-organized supply chain of tools and victim data, according to Guardio Labs researchers Oleg Zaytsev and Nati Tal.
In a new report, they describe Telegram as a “scammers paradise” and a “breeding ground for modern phishing operations.” The platform’s lenient moderation efforts have opened the doors to cybercrime, making what was once available on invite-only dark web forums easily accessible in public channels and groups.
Guardio Labs notes that the phishing ecosystem on Telegram includes free samples, tutorials, kits, and even hackers-for-hire, providing everything necessary for constructing end-to-end malicious campaigns. This marks a departure from the traditional dark web forums, making cybercrime accessible to aspiring and inexperienced individuals.
The report highlights the availability of malicious Telegram bots like Telekopye (aka Classiscam), capable of crafting fraudulent web pages, emails, and SMS messages for large-scale phishing scams. The building blocks for phishing campaigns can be purchased on Telegram, some at very low prices or even for free. This includes phishing kits, compromised WordPress websites for hosting scam pages via web shells, and backdoor mailers for sending convincing emails.
Backdoor mailers, available on various Telegram groups, are PHP scripts injected into already infected legitimate websites, enabling threat actors to send emails using the legitimate domain to bypass spam filters.
Guardio emphasizes a dual responsibility for site owners, urging them to safeguard their platforms against being unwittingly used for hosting phishing operations. Additionally, digital marketplaces on Telegram offer “letters,” expertly designed templates to make phishing emails appear authentic.
Telegram’s marketplaces also host bulk datasets, known as “leads,” containing valid email addresses and phone numbers. These leads can be highly specific and enriched with personal information, enhancing the effectiveness and credibility of phishing attacks.
The researchers underscore the monetization aspect of these phishing campaigns, where stolen credentials are sold as “logs” to other criminal groups, yielding a 10-fold return on investment based on the number of victims providing valid details on the scam page. Social media account credentials may be sold for as little as a dollar, while banking accounts and credit cards fetch higher prices based on their validity and funds.
Guardio concludes that with a small investment, anyone can initiate a significant phishing operation, regardless of prior knowledge or connections in the criminal underworld.