Telegram: The New Channel of Choice for Conducting Cyber Crime
The Dark Web is a hive of illicit activity. From illegal guns and drug dealing to the Ransomware-as-a-Service programs buyers and sellers can use this medium to trade and exchange both knowledge and products.
The take-down of such Dark Web market places, Hansa Market and Alpha Bay, by law enforcement agencies in the US and Europe, however, made headline news not so long ago and served as the latest example of how this cat and mouse game works. Indeed, our research team has been hot on the trail and found cyber criminals have since shifted to new channels to evade authorities and are increasingly using the mobile messaging app, Telegram, to continue their trade.
Check Point looks at how this new medium illustrates the ever evolving methods cyber criminals use to conduct their cyber-crimes in the fifth generation of the cyber threat landscape.
The Transition to Telegram
On the Dark Net, hacking forums are a popular communication platform among threat actors to advertise job offers, market their products and even consult with each other.
In the past few years, however, with law enforcement agencies having a better understanding of the challenges they face in the wild, the grip on some of these forums has become tighter with some of them, as mentioned above, being shut down. As a result, a migration to a more secretive and easily-accessible platform is currently taking place.
Telegram, an encrypted instant-messaging application first introduced in 2013, experienced a meteoric rise in subscribers (five million new users in just 24 hours) following a server crash on the WhatsApp messaging platform. Similar to WhatsApp, Telegram users can chat to individuals as well as groups. What sets it apart, among other features, however, is the pride it places on its enhanced security capabilities. As a result, some of its hosted chat groups have become a useful alternative to the secretive forums on the Dark Web.
Telegram’s hosted chat groups, known as ‘channels’, can be used to broadcast messages to an unlimited number of subscribers, and, while their entire messaging history can be viewed, any response to the public messages is held privately. The discretion these channels thus provide goes a long way to help disguise their malice. Any threat actor with a shady offer or conversation to start can enjoy private and end-to-end encrypted chats instead of the exposed threads that are seen in online forums. If in the past several steps were required to ensure an anonymous connection to the Dark Web via the TOR platform, today any Telegram user can easily join channels with a single tap on their phone, while keeping their identity completely hidden.
Illicit Telegram Channels
Some examples of the clandestine channels our team discovered are ‘Dark Jobs’, ‘Dark Work’ and ‘Black Markets’, though there are many more.
To explain a little about these channels’ content, as the names suggest, messages within the ‘DarkJobs’ channel usually contain illicit job offers that are color coded. If a job posted in this channel is dangerous and likely to entail legal risks, for example, it is marked as ‘black’, whereas less threatening jobs are marked as ‘gray’ or ‘white’.colored
The channels are not restricted to recruiters and job-hunters, though. Advertisements for the sale of stolen documents or hacking tools can also be found. This is especially worrying, considering the accessibility of the channels and the promises of high salaries made to those who might otherwise refrain or have no way to reach these markets.
As a result, this poses a risk of growth in cybercrime rates as these positions are not only openly marketed but are also available to inexperienced users, making dangerous tools now within anyone’s reach.
Recruiting Employees & Forging Official Documents
The most interesting messages are perhaps those looking for employees of certain companies or banks. Threat actors might take advantage of these employees in order to obtain insider information and sensitive data which could then be used for personal purposes or sold, or to conduct a cyber-attack from inside the company. Just like in the real world, in the world of cybercrime it can often be not what you know but who you know.
Other illegitimate services in some of Telegram’s more crooked channels include forging legal documents. Counterfeit documents include IDs, passports, banking documents and more. The author of one of the posts even claimed to have connections inside the Russian Traffic Police Department and to be able to issue or update driving licenses of all categories.
The convenience of Telegram channels allows for threat actors and those aiming to take part in cybercrimes to communicate in a more secure and easily accessible manner.
Sadly, although messaging applications have become an integral part of modern life and improved over the years to ensure the security of their user’s information, they are also being taken advantage of by those fleeing from prying eyes, and the law. Through the use of such tools, access to malware has never been easier, personal documents and certificates can be spread to unknown destinations and companies can be threatened by their own employees. Indeed, even with the limited skillset required, the number of threat actors is on the rise and it is no wonder that the number of cyber-attacks on both organizations and individuals is growing respectively.