Cybercriminals are using Telegram bots, Google Forms to gather stolen user data

Cybercriminals are increasingly using legitimate services such as Google Forms and Telegram to gather user data stolen on phishing websites. Alternative ways to collect data help cybercriminals keep it safe and start using the information immediately, says Group-IB.

In addition, ready-to-go platforms that automate phishing and which are available on the darknet also have Telegram bots at their core, with admin panel that is used to manage the entire process of the phishing attack and keep financial records linked to them. Such platforms are distributed under the cybercrime-as-a-service model, which subsequently leads to more groups conducting attacks. They also widen the scope of cybercriminal activity.

Phishing kits in 2020

Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and — traditionally — financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.

A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet. For cybercriminals who do not have strong coding skills, phishing kits are a way to effortlessly build infrastructure for large-scale phishing campaigns and quickly resume an operation if it’s blocked.

In 2020, as in the previous year, the main target for cybercriminals were online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%. Financial institutions turned out to be the third favorite among scammers, with their share totaling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.

gather stolen user data

Gathering compromised data

To obtain data of deceived users, cybercriminals mainly resort to free email services to which all the info harvested on phishing websites is automatically sent. Free emails make up 66% of the total number of emails found in phishing kits. Most email accounts detected were created using Gmail and Yandex.

gather stolen user data

Group-IB analysts divide alternative ways for cybercriminals to obtain data into two major categories: local (when the data is stored in a file located on the phishing resource itself) and remote (when it is sent to a different server). Cybercriminals actively use legitimate services to obtain compromised data. A new trend recorded over the reporting period was the use of Google Forms and private Telegram bots to gather stolen user data.

In total, alternative methods of obtaining compromised data make up about 6%. CERT-GIB analysts predict that the share of alternative ways for obtaining data will continue to rise, with Telegram showing the greatest growth on account of being user-friendly and anonymous.

The functionality of phishing kits is not limited to generating fake web pages to steal user data. Some upload malicious files to the victim’s device. Sellers of phishing kits sometimes turn out to be light-fingered and deceive their own buyers, attempting to make money off them twice. Apart from selling the malicious tool they created, they may also have their eyes on the data stolen with its help. By using a special script embedded in the text body of the phishing kit, they direct the stream of stolen user data to their own network hosts or intercept access to their customers’ hosting service.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocked phishing websites with new web pages,” comments CERT-GIB Deputy Head Yaroslav Kargalev.

“In turn, automating such attacks leads to the spread of more complex social engineering used in large-scale attacks rather than separate incidents, as used to be the case. This keeps one of the oldest cybercriminal professions afloat.”

Don't miss