telegram

Telegram is increasingly abused by cybercriminals to set up underground channels to sell stolen financial details to pseudonymous users.

Telegram is a free and cross-platform instant messaging service that offers end-to-end encryption communication, currently having a user base of over 500 million active users.

Because the platform follows an approach of loose moderation, only censoring extremist content, cyber-criminals find it reasonably easy to abuse it to promote their nefarious purposes.

It is also much easier to set up a Telegram channel to sell stolen data than creating a new dark website, and often, much easier to promote and draw a wider audience of interested buyers.

Finally, because Telegram channels are more volatile and short-lived than dark web markets, they could be safer to use for criminals as they are harder to track and correlate online personas with real identities.

An ongoing concern

Researchers at Cybersixgill have published a report based on data they collected throughout 2021 and concluded that even though the sale of financial accounts on Telegram has decreased in volume, it remains a stable problem.

When conducting the report, the researchers filtered out bot spam and only focused on high-quality data, such as listings containing specific keywords related to money laundering and financial account sales.

Sales activity in 2020 and 2021
Sales activity in 2020 and 2021
Source: Cybersixgill

Cybersixgill’s analysts believe that the reason behind the stark nosedive of 60% compared to 2020 is the overall reduction of newly-issued credit cards during the pandemic.

“This stark nosedive in discourse surrounding compromised accounts from 2020 to 2021 might seem remarkable, but it is not an isolated event; a parallel decrease was also identified in the total number of compromised credit cards sold on underground markets throughout the same period,” the reasearchers explain in their report.

“In our Underground Financial Fraud report for H1 2021, we attributed this decline to the closure of several credit card markets (either imposed by law enforcement or as a result of threat actor “retirement”), ongoing trends towards contactless payments accelerated during the pandemic, and the overall reduction of newly-issued credit cards.”

Another factor that may have played a key role is the general decline of the carding space and the shift of cybercriminal attention to the much-more prolific ransomware operations.

PayPal accounts the most bartered item

The leader in the number of listings on these channels is PayPal, followed by Chase and Western Union.

Volume of listings per payment platform
Volume of listings per payment platform
Source: Cybersixgill

Account takeovers on PayPal constitute a direct way to drain funds from other people, and thanks to the platform’s popularity, it’s easy to make online purchases with it on almost any site.

Cybersixgill explains that for most compromised PayPal accounts, the buyers use them to purchase hard-to-trace cryptocurrency, essentially laundering the money.

On that front, cyber-criminals also offer money transfer services right on Telegram, helping actors obfuscate the origin of the stolen funds.

Money-moving services through PayPal
Money-moving services through PayPal
Source: Cybersixgill

Credits cards continue to be sold

Even if at a smaller volume, credit cards are also offered on Telegram channels, with roughly half of them including the highly-valuable CVV/CVV2 codes required to verify online purchases.

The prices range from $10 to $1,500 per card, depending on the bank account balance and the “freshness” of the data. 

A 10$ listing containing basic credit card data
A 10$ listing containing basic credit card data
Source: Cybersixgill

If the owner hasn’t realized the breach of their credit card details, there’s no risk of being reported to the bank, so the listing’s price is higher.

Valuable debit card selling for $1,500
Valuable debit card selling for $1,500
Source: Cybersixgill

That is at least how things work theoretically, as scams are always to be found among genuine listings.

Finally, there are dedicated Telegram channels that sell bank logs (credentials) as well, which can also be used for electronic cashouts.

Bank logs can be equally as valuable as credit card data
Bank logs can be equally as valuable as credit card data
Source: Cybersixgill

Conclusion

The above is only a small part of the cybercriminal activity on Telegram channels, with other activities including identity theft, fraud, network access, stolen database, and many more.

Anonymity in Telegram is linked to the telephone number used during the subscription, so if the actors acquired the SIM without providing real identification details, they become hard to track and catch.

We have reached out to Telegram to request a comment on the matters of abuse and what they’re planning to do about it, but we have not received a response yet.

Source: www.bleepingcomputer.com