Send to saved messages: cybercriminals use Telegram bots and Google Forms to automate phishing

Group-IB, a global threat hunting and adversary-centric cyber intelligence company, has found that cybercriminals increasingly often use legitimate services such as Google Forms and Telegram to obtain user data stolen during phishing attacks. Alternative ways to obtain data help cybercriminals keep it safe and start using the information immediately. In addition, ready-to-go platforms that automate phishing and which are available on the darknet also have Telegram bots at their core, with admin panel that is used to manage the entire process of the phishing attack and keep financial records linked to them. Such platforms are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.

Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and — traditionally — financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.
A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if it’s blocked. By extracting phishing kits, cybersecurity analysts can identify the mechanism used to carry out the phishing attack and figure out where the stolen data is sent. In addition, a thorough examination of phishing kits helps analysts detect digital traces that might lead to the developers of the phishing kit.

In 2020, as in the previous year, the main target for cybercriminals were online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.

To obtain data of deceived users, cybercriminals mainly resort to free email services to which all the info harvested on phishing websites is automatically sent. Free emails make up 66% of the total number of emails found in phishing kits. Most email accounts detected were created using Gmail and Yandex.

Group-IB analysts divide alternative ways for cybercriminals to obtain data into two major categories: local (when the data is stored in a file located on the phishing resource itself) and remote (when it is sent to a different server). Cybercriminals actively use legitimate services to obtain compromised data. A new trend recorded over the reporting period was the use of Google Forms and private Telegram bots to gather stolen user data.
In total, alternative methods of obtaining compromised data make up about 6%. CERT-GIB analysts predict that the share of alternative ways for obtaining data will continue to rise, with Telegram showing the greatest growth on account of being user-friendly and anonymous.

The functionality of phishing kits is not limited to generating fake web pages to steal user data. Some upload malicious files to the victim’s device. Sellers of phishing kits sometimes turn out to be light-fingered and deceive their own buyers, attempting to make money off them twice. Apart from selling the malicious tool they created, they may also have their eyes on the data stolen with its help. By using a special script embedded in the text body of the phishing kit, they direct the stream of stolen user data to their own network hosts or intercept access to their customers’ hosting service.

Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocked phishing websites with new web pages. In turn, automating such attacks leads to the spread of more complex social engineering used in large-scale attacks rather than separate incidents, as used to be the case. This keeps one of the oldest cybercriminal professions afloat.

Yaroslav Kargalev
Yaroslav Kargalev

CERT-GIB Deputy Head

The traditional approach consisting in monitoring and blocking of phishing websites is not enough today, companies have to identify all the elements of the attackers’ infrastructure and block the entire network of fraudulent resources rather than separate phishing pages. Group-IB Threat Intelligence system analyzes phishing attacks and attributes them to a specific cybercriminal group, identifying all the web pages that the latter created. Group-IB Threat Intelligence & Attribution system has accumulated an extensive database of phishing kits, which enables the company to fight against phishing targeting a specific brand. This database is being enriched on a continuous basis: as soon as TI&A detects a phishing website, it scans the attackers’ entire infrastructure to, among other things, extract the phishing kit and determine what data was compromised and where it was sent to.

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading providers of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), the Asia-Pacific (Singapore), and Europe (Amsterdam).

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real-time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat IntelligenceManaged XDRDigital Risk ProtectionFraud ProtectionAttack Surface ManagementBusiness Email ProtectionAudit & ConsultingEducation & TrainingDigital Forensics & Incident ResponseManaged Detection & Response, and Cyber Investigations.

Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and more than 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB.

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

Group-IB’s experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB’s mission is to fight high-tech crime while protecting our clients in cyberspace and helping them achieve their goals. To do so, we analyze cyber threats, develop our infrastructure to monitor them, respond to incidents, investigate complex high-tech crimes, and design unique technologies, solutions, and services to counteract adversaries.