Why cybercrooks love Telegram Messenger

The Telegram text and video messaging service has become a “thriving ecosystem” for cybercrime and will likely continue to be a major challenge for security researchers and law enforcement, says a new report.

It is largely used by individuals for legitimate messaging and purchases — including digital equipment, consumer loans, apparel and shoes –who appreciate that it’s free and supposedly encrypted.

But researchers at Israel-based Kela say in a report released Wednesday that Telegram Messenger is also a hub for cybercrime activities, including the sale and leakage of stolen personal and corporate data, the organization of cybercrime gangs, the distribution of hacking tutorials, hacktivism and the sale of illegal physical products such as counterfeits and drugs.

Among the groups using the platform are

— the Lapsus$ data extortion gang. As of December 2022, it had over 55,800 subscribers. However the group has been quiet since March, 2022, when several alleged members were arrested in England;

— the pro-Russian Killnet group. Its main Telegram channel is followed by more than 90,000 users, says the report, and its campaigns are joined by many other influential hacking groups, including XakNet and NoName057;

— the Eternity Project, a malware-as-a-service operation, which uses Telegram bots to sell stolen information to actors who bought access to the service and to provide them with
an opportunity to build the binary. The stealer doesn’t have an administrator panel to manage the malware and attacks — everything is done via Telegram;

— “CHECKS GRUB SHOP” is a popular group for selling credit card information, counterfeit and stolen valid cheques, packages of full personal identification of individuals (known as  fullz) and stolen bank logs;

Messaging services including Discord, Jabber, Tox and Wickr are also used by some cybercrooks, but many favour Telegram.

“One reason why Telegram is attractive to cybercriminals is its alleged built-in encryption
and the ability to create channels and large, private groups,” says the report. “These features make it difficult for law enforcement and security researchers to monitor and track criminal activity on the platform.

“In addition, cybercriminals often use coded language and alternative spellings to communicate on Telegram, making it even more challenging to decipher their conversations.”

The reason Kela is skeptical about the encryption is the company doesn’t disclose the code of the application so there’s no way to know how secure it is.

As of November, 2022 there were an estimated 700 million monthly active users on the platform.

Telegram allows users to register accounts without disclosing personal information, the report notes, making it simple to set up many identities and use them to converse without revealing one’s genuine identity. “Because of this anonymity, law enforcement organizations have a tough time tracking down and identifying individuals who are using the program for illicit activities,” says the report.

While Telegram’s privacy policy states that it may disclose a user’s IP address and phone
number to authorities if presented with a court order on terrorism-related charges, the
company claims it hasn’t done so yet. However, the report says, recent investigations in Germany have revealed that the platform is sharing user data with government agencies and censoring content, despite its promise to keep users’ data secure and private.

Kela recommends infosec teams

— use threat intelligence monitoring solutions to continuously monitor for potential
threats on Telegram and take proactive measures to prevent them;
— regularly train and educate employees on how to identify and respond to cyber
threats on Telegram;
— implement technical controls, such as firewalls and intrusion prevention systems,
to prevent cybercriminals from accessing sensitive data;
— increase collaboration and information sharing with law enforcement agencies and
other organizations to improve the ability to detect and disrupt cybercrime on the
platform;
— and conduct regular audits and assessments to identify any vulnerabilities or areas
for improvement in the organization’s defenses against cyber threats on Telegram.