Telegram and Cybercrime

The Rise of Cybercrime on Telegram and Discord and the Need for Continuous Monitoring

Instant messaging, popularly called IM or IM’ing, is the exchange of near real-time messages through a stand-alone application or embedded software. Unlike chat rooms with many users engaging in multiple and overlapping conversations, IM sessions usually take place between two users in private.

One of the core features of many instant messenger clients is the ability to see whether a friend or co-worker is online on the service — a capability known as presence. As the technology has evolved, many IM clients have added support for exchanging more than just text-based messages, allowing actions like file transfers and image sharing within the IM session.

Popular messaging services
Popular messaging services

The top three messaging apps by the number of users are WhatsApp – 2 billion users, Facebook Messenger – 1.3 billion users, and WeChat at 1.12 billion users. Messenger is the top messaging app in the US. In 2017, approximately 260 million new conversations were taking place each day on the app. In total, 7 billion conversations were occurring daily.

Most widely used messaging apps
Most widely used messaging apps

The power of social media platforms lies in their ability to connect users and create unique avenues for interaction. For individuals, enterprises, and governments, they facilitate new ways of reaching their audience, promoting a product, and fostering communities.

The growing presence of cybercriminals on social media platforms

The universal appeal of social media platforms makes it equally attractive to cybercriminals. Yet the growing range of criminal risks encountered across social media remains significantly under-researched.

Cybercriminals, it seems, aren’t that different from consumers and enterprise users—they want tools that are easy to use and widely available. They prefer services that are simple, have a clean graphical user interface, are intuitive to use, and are not buggy. Localization and language support also make a difference. Cybercriminals are very careful about who they let into their exclusive club, but they also don’t want to jump through excessive (and costly) hoops to communicate with each other.

The rise of Telegram and Discord

The point of serious concern is that many Telegram and Discord groups are being used by cybercriminals to perform illegal activities such as selling exploits and botnets, offering hacking services, and advertising stolen data.

The double-edged sword of Telegram’s end-to-end encryption

The end-to-end encryption provided by Telegram has paved the way for a host of illegal activities, turning coveted online privacy into a breeding ground for crime. Telegram claims to be more secure than mass market messengers such as WhatsApp and Line. It allows, among other things, anonymous forwards, which means your forwarded messages will no longer lead back to your account. You can also unsend messages and delete entire chats from not just your own phone, but also the other person’s. In addition, it allows you to set up usernames through which you can talk to Telegram users without revealing your phone number. These two features differentiate it from WhatsApp.

Telegram’s secret chat option

Telegram’s secret chats feature uses end-to-end encryption, which means it leaves no trace on servers, it supports self-destructing messages, and it doesn’t allow forwarding. Voice calls are end-to-end encrypted as well. It even allows bots to be set up for specific tasks. Due to its rich feature set and rapid adoption, Telegram has become a sought after tool on the fraud scene. According to Telegram’s website, the app allows users to create private groups containing up to 200,000 members as well as public channels that can be accessed by anyone who has the app.

The double edged sword of Telegram
The double-edged sword of Telegram

Telegram reported in April 2020 that it was logging 1.5 million new users daily. It added that it was the most-downloaded social app in 20 markets globally. The platform has been widely adopted globally and is available in 13 languages.

How threats actors are exploiting Telegram

Until recently, fraudsters mainly utilized Telegram groups and channels to organize their communities. Groups can be best described as chat rooms in which all members can read, comment, and post. This is where fraudsters advertise, connect, and share knowledge and compromised information, akin to dark web forums. Channels, on the other hand, are groups in which only the administrator is authorized to post and regular members have access to view, similar to blogs. Fraudsters mainly use Telegram channels to advertise fraud services and products in bulk. In this way Telegram serves as a ‘Dark Web lite’ for shady businesses.

 

Examples of a Telegram channel being used as ‘Dark web lite”
Examples of a Telegram channel being used as ‘Dark web lite”

The discovery of an exploit is not in itself illegal. Indeed, it is often rewarded by software companies or related businesses that may be affected. But if an exploit is sold, knowing that it is going to be used to commit a crime, then there is a possibility of being charged as an accomplice. The legal ambiguities have generated another grey economy in the trading of exploits. Several sites on social media platforms have been found to be openly vending exploits, including accounts such as Injector exploits database, Exploit Packs.

Telegram channels selling exploits and
Telegram channels selling exploits

Unprotected databases are one of the primary reasons for the rise in the exposed user records. Reports indicate that the data posted by hackers contain authentic databases that could lead to serious concerns for affected individuals and organizations. After the disclosed data breach, potential threat actors could discuss over the telegram channels and hacking forums. An attacker can further use the data to gather sensitive information and facilitate further attacks.

Threat actors trading information and databases via Telegram
Threat actors trading information and databases via Telegram

Around 30-40% of the social media sites inspected offered some form of hacking service. Very often there was an emphasis on ‘ethical’ hacking services, though there were no obvious ways to corroborate this. These groups offer tools for hacking websites, hackers for hire, and hacking tutorials. Cybercriminals in fact offer everything necessary to arrange a fraud or to conduct a personal attack. The offers are usually very specific and include malicious code and software that can help get access to personal accounts.

Hacking services being advertised and solicited on Telegram
Hacking services being advertised and solicited on Telegram

Discord is now where the world hangs out

Discord is a real-time messaging platform that bills itself as an “all-in-one voice and text chat for gamers,” due to its slick interface, ease of use, and extensive features. The platform has made it easy to communicate with friends and create and sustain communities via text, voice, and video.

The app allows users to set up their own servers where they can chat with their friends or with others who share their interests. Discord was originally created for gamers to collaborate and communicate, but has now been widely adopted by other groups and communities ranging from local hiking clubs to art communities and study groups.

The rising popularity of Discord as a communication channel
The rising popularity of Discord as a communication channel

Discord has garnered 100 million active users per month, 13.5 million active servers per week, and 4 billion servers with people talking for upwards of 4 hours per day. Discord is now where the world talks, hangs out, and builds relationships with their communities and friends. There are servers set up to function as online book clubs, fan groups for television shows or podcasts, and science discussions, to name a few. All this sounds harmless, but does Discord have a dark side? Yes, there are servers that promote illegal activities using the platform.

A convenient way to create and sustain communities and friendships
A convenient way to create and sustain communities and friendships

How cybercriminals are leveraging Discord

Being an encrypted service, Discord hosts numerous chat channels that promote illicit practices. Besides the obvious gaming chats, Discord is exploited to carry out other nefarious activities, like selling credit and loyalty cards, drugs, hacker resources, and doxing services. Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available on the platform, allowing criminals to transact openly while avoiding scrutiny from law enforcement.

Is Discord the new dark web?

Illicit markets on Discord work much like “conventional” Dark Web markets on TOR. First, a buyer must locate a seller, join their network, and pay in bitcoin. One of the most popular goods on Discord marketplaces are credit and loyalty points. Some of these markets, having been kicked off TOR by law enforcement, have relocated their services to Discord.

Stolen credit card data, when sold on Discord or across other dark web sites, often include other identifying information such as names, email addresses, phone numbers, physical addresses, and passwords. These cards can be used to make purchases online and offline, or to buy untraceable gift cards. Loyalty points, another very popular item on Discord, can be purchased for just a few dollars (paid in bitcoin) and these can be exchanged for cash, or for goods and gift cards.

Discord being used to sell credit cards
Discord being used to sell credit cards

Besides the purchase of credit cards and loyalty points, some powerful hacking tools have found their way to Discord, making it possible for buyers to compromise accounts directly. One prominent example is OpenBullet, released on Microsoft’s GitHub code platform. Originally intended as a testing tool for security professionals, it was modified by hackers and spread quickly. It is easy to use, configure, and deploy, and helps the server owner set up DDOS services, carding methods, and malware sales.

DDos botnets being sold on Discord
DDos botnets being sold on Discord

It is easy to monitor paste websites like Pastebin because we know the structure of websites; what type of data is pasted, etc. But monitoring discussions on Discord, while not as simple, is critical for organizations. And time is of the essence when it comes to detecting and alerting organizations to information being exchanged or discussed, that pertains to their data and assets.

Cybercriminals using Discord to communicate and exchange data and services
Cybercriminals using Discord to communicate and exchange data and services

Cybercriminals also tend to use these platforms to share news, exchange vulnerability and exploit information, and cite research work from within the cybersecurity community.

Exploits for sale on Discord
Exploits for sale on Discord

The need for continuous monitoring

This is just the beginning of cybercriminals using instant messaging platforms to further their businesses. And with the rising popularity of encrypted messaging apps, we can expect illegal activities to flourish on these platforms.  Given the quick turnaround time on IM platforms, as opposed to forums where criminals first post their needs/ services and then have to wait for a reply, it is only a matter of time before cybercriminals shift their transactions to these platforms. And tools like chatbots allow for automated replies and advertising, helping threat actors achieve more in less time.

Which is why real time monitoring of dark web markets, Telegram channels, and Discord servers is no longer a luxury but a basic requirement for organizations to secure their data and assets. And this is where CloudSEK’s proprietary digital risk monitoring platform XVigil can help you stay ahead of cybercriminals and their increasingly sophisticated schemes. XVigil scours the internet, including surface websites, dark web marketplaces, and messaging platforms like Telegram and Discord. It detects malicious mentions and exchanges pertaining to your organization’s digital assets and provides you real-time alerts. Thus giving you enough time to take proactive measures to prevent costly breaches and attacks.

The Upsurge of Digital Fingerprints in Underground Marketplaces

 

Digital fingerprints are unique slices of information related to software and hardware components of each device, in addition to the user’s distinguishable characteristics. Device fingerprinting gathers information about a computer to identify an individual user, regarding it as a digital asset.

A device’s fingerprints include its:

  • IP address (external and local),
  • Screen information (screen resolution, window size),
  • Firmware version,
  • Operating system version,
  • Browser plugins installed,
  • Timezone,
  • Device ID,
  • Battery information,
  • Audio system fingerprint,
  • GPU info,
  • WebRTC IPs,
  • TCP/ IP fingerprint,
  • Passive SSL/ TLS analysis,
  • Cookies, and many more.

Digital fingerprints also include the following attributes of individual users; their social network accounts (third-party cookie tracking) and various aspects of his/ her behavior:

  • Time spent on e-commerce websites
  • Website click locations
  • Items of interest, the typical amount of money spent on such items, virtual or real merchandise, etc.
  • Mouse/ touchscreen behavior
  • System configuration changes

 

Underground marketplace tout digital identities

SIRUS Shop is an online cybercriminal, private marketplace that trades stolen digital fingerprints. This new Russian underground marketplace – SIRIUS Shop Online – sells tens of thousands of compromised digital fingerprints, enabling threat actors to commit online fraud. At the moment it offers more than 20k+ stolen profiles. These profiles include browser fingerprints, website user logins and passwords, cookies, and credit card information. The price of these profiles varies from $1 – $27 – it hugely depends on the value of the information in the profile. SIRIUS has been active since June 2020 and also helps sellers to set up their own shop on the market. They advertise the availability of these digital fingerprints on one of their underground carding forums. 

 

SIRIUS Shop sells :

  • Credit card details
  • Dumps
  • SSN
  • Scan ID, DL
  • Logs bot full dump
  • SHELL
  • CRM Panel
  • CMS Panel
  • Emails and password databases

 

SIRIUS Home page digital fingerprints
SIRIUS Home page

 

Bot Profile Dumps

The operators of SIRIUS Shop deliver malware to steal digital fingerprints from user devices and other information such as user account credentials, browser cookies from online payment portals, stores and even bank accounts. Such digital assets are then sold on the underground forum. 

Users who have been infected with malware in the past or have installed rogue browser extensions, have unknowingly had their account passwords and full browser details recorded, and then sent to SIRIUS operators. In some cases they also acquire information via web injects, form grabbers, and passwords saved in browsers. The operators scour for more of such data and updates related to the data, which is then pushed to their online underground store.

Each user profile includes login credentials for their accounts on online payment portals, e-banking services, file-sharing, or social networking services. It also comprises the cookies associated with those accounts, browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, and other browser and PC details.

The user profiles are then imported into the SIRIUS Shope, where it’s indexed; cybercriminals then perform an easy search by parameter, to find the types of profiles they’re interested in. 

 

SIRIUS Store page
SIRIUS Store page

SIRIUS Store has a configurable search panel that allows threat actors to track down specific user fingerprints. One can search for credentials from a particular website, the victim’s country, operating system, the date the profile first appeared at the market.

 

SIRIUS Search Panel
SIRIUS Search Panel

These logs provide leeway to threat actors and make credit-card frauds easier. The marketplace sells digital identities along with stolen credentials to online shops and payment services that were exposed previously. Anyone who gets hold of such digital assets, launches them through a browser and proxy connection to masquerade as a real user and commits fraud undetected. By doing so, the attacker can then access the victim’s online accounts or make new, trusted transactions in their name. Their social media accounts are also susceptible.

 

Preventive Measures

For website owners

  • Install an SSL Certificate

Data is transferred constantly between the user’s browser and your web server. Without an SSL certificate, this data (cookies) is sent in clear-text format. Thereby allowing a hacker to intercept the plain text easily. Thus, login credentials and other sensitive information in the data is left exposed. 

SSL (Secure Sockets Layer) encrypts the data before it’s transferred. So even if a hacker manages to steal it, they won’t be able to read the data. You can get an SSL certificate through your web hosting company or from an SSL provider. You can also get a basic free SSL certificate from Let’s Encrypt.

  • Install a Security Plugin

A security plugin’s firewall generally prevents attempts to hack your website and blocks malicious IP addresses. Also, it scans your site regularly and alerts you if hackers try to enter malicious code, in which case you can clean up your website instantly. This will help you detect and delete such attempts before they can cause any harm.

  • Update Your Website

Update your website regularly including the installation, themes, and plugins. Outdated software can create vulnerable spots on a website which in turn lures in hackers. Check for latest updates by the vendor. These updates carry new features, address bugs in the website and also fix security flaws from time to time.

 

For website visitors

  • Install an Effective Anti-virus

Ensure the device you’re using to access the internet has anti-malware software installed. It detects and alerts you of any malware found on malicious sites. It also removes any malware that you might accidentally download or install on your system.

  • Never Click on Suspicious Links

Avoid clicking on suspicious links and be especially cautious of the ones that advertises attractive offers or discounts.

  • Avoid Storing Sensitive Data

For a quick and convenient check-out, users tend to store their payment details (such as credit card information) on shopping websites. Some even choose to save passwords on web browsers to auto log into websites. But these convenient options come at a great cost. Never store sensitive data on websites or browsers. 

  • Clear Cookies

Remember to clear cookies regularly to get rid of any sensitive information stored on browsers. 

 

Conclusion

Online marketplaces that trade databases and dumps are quite ubiquitous and as authorities fail to keep up with such sites, more and more users have their identities stolen and sold on such sites. Since most victims fall prey to such malicious attempts due to their presence on the internet, website owners should take steps to ensure safe and secure experience on their sites. Enabling extra layers of security such as the two-factor authentication system is one way of going about it. They can also consider an additional biometric authentication method.