Telegram is a free cross platform messaging service that allows for secure and encrypted communication between users which has seen a significant rise in use by organised crime groups as a way of securely communicating with one another. Bots have existed in telegram since 2015 however recent updates to telegram bots over the past couple of years have significantly increased the customisability of these bots and their capabilities.
Telegram Bots have recently been adopted by cybercriminals for the use of automating data exfiltration during phishing scams thanks to their free/cheap implementation combined with their ability to simplify the data exfiltration process. According to a report by Cofense, the use and abuse of telegram bots has increased by 800% in 2022 compared to 2021 thanks as well to the use of attaching .html files to emails which contain the bots authentication and location hardcoded and hidden within the file.
Here’s how it works:
Firstly an attacker can either design the bot themselves or they can acquire phishing kits online which will come with malware with telegram bot support preloaded and set up which will skip any computer programming necessary.
Next the attacker has to message the botfather and create a new bot with its own username, unique token so the bot can be identified and an API Endpoint URL which is used so that the bot can be interacted with.
Once the bot is set up, the attacker needs to get the chat ID which will be used to convey stolen credentials to the bot.
Now the bot token and chat ID have been gathered, malicious scripts are made using the bot token and the chat Id, again these scripts can be purchased by themselves or as part of a phishing kit removing any need for computer programming as the scripts are autogenerated with simple drop downs for the tokens and IDs.
Cofense has a detailed breakdown of the process along with example screenshots to show what it looks like on an attackers side on their blog.
While the Telegram bot makes the automation of the phishing process more streamlined, training your staff to be able to better identify phishing emails can significantly reduce the likelihood of your credentials being stolen. Be cautious when clicking on links and attachments through emails especially .html files. The National Cyber Security Centre also recommend that you are cautious to requests for information out of the blue and should look out for alarming, threatening language to convince you to act urgently.
You can go to the NCSC website to learn more about avoiding phishing scams: Phishing attacks: defending your organisation - NCSC.GOV.UK.
You can also report Phishing attempts the NCSC by forwarding the message to their suspicious email reporting service: email@example.com