Cybercriminals are increasingly using IM platforms like Telegram, Discord, Jabber, WhatsApp, IRC and others to advertise and sell their goods and services, IntSight researchers have found.
While traditional cybercrime sources (e.g., forums, black markets, credit card shops, etc.) continue to see regular traffic, peer-to-peer communication networks and chat channels offer advantages like automated answers and chat bots, less rules restricting advertisements of the types of goods threat actors can sell, as well as enhanced security features and data encryption and the option of creating private networks by using decentralized messenger protocols.
Why cybercriminals love IM platforms
IntSights CSO Etay Maor says that the migration to these platforms is at least partially the result of law enforcement operations that targeted the AlphaBay and Hansa markets several years ago, as well as the ongoing law enforcement takedowns of major marketplaces and cybercrime forums.
“Telegram appears to be experiencing the most growth, with more than 56,800 Telegram invite links shared across cybercrime forums and over 223,000 general mentions of the application across forums. Telegram is also the platform most often discussed in foreign language forums,” he noted.
Chatter in cybercriminal forums also points to Discord’s increased popularity among cybercriminals. “Old faithful” ICQ is also a popular choice.
“IM applications are most often used by financial fraud communities,” Maor shared. “Financial threat actors and fraudsters exchange stolen carding information, selling or trading all kinds of credit card dumps, and publishing methods or techniques relevant for the fraud community. In addition, there is also trade of physical items stolen or counterfeited from organizations in the retail industry.”
The IM platforms function as a market and an instant communication tool that allows them to reach deals faster and to share news that could impact their future efforts.
“An example of the surging popularity of IM platforms is the April 2019 leak of Iranian hacking group APT34’s toolset. A rival Iranian hacking group called ‘Lab Dookhtegan’ leaked the information with the full source code exclusively on Telegram without first offering it on any well-known black market or forum,” Maor pointed out.
Cybercrime is always a risky proposition
Even though traditional cybercrime forums have a lot to offer – a way to build reputation, escrow options, posts that can be seen by more users, and “anonymous” access via the Tor browser – many IM platforms offer end-to-end encryption, the option to obscure location and IP address, and invitation-only groups that prevent unwanted outsiders from joining.
Despite all that, the researchers have noticed several warnings and security concerns expressed by threat actors due to law enforcement focus on IM platforms and security vulnerabilities discovered in the past year.
“Law enforcement can ‘break’ encryption using sophisticated algorithms and security vulnerabilities, or by collecting frame details and digital clues that were stored in the IM servers,” Maor explained.
“While the data itself is fully encrypted and law enforcement needs sophisticated algorithms in order to decrypt it, some countries have authorized law enforcement agencies to access the private information of their citizens if sanctioned by courts or other judicial authorities – including information that lives in IM platforms. Threat actors are worried about the cooperation between technology companies and law enforcement agencies, especially in the United States.”