Just as criminals in the real world work to cover their tracks, so too do hackers put in considerable effort to ensure that their digital breadcrumbs can’t be followed. At the same time, however, these online criminals also work hard to target the most profitable victims, requiring them to strike a complex balance that is very difficult, but not impossible.
Recently, a frightening trend has emerged where cyber criminals poach the capabilities of legitimate message apps in order to carry out their malicious activities. Previously, WhatsApp and Facebook Messenger have been utilized by hackers, demonstrating that even the most popular platforms aren’t impervious to malicious use. Telegram is the most recent victim here, and while this does pose a threat for legitimate users, this doesn’t mean the service itself is at fault for the activity of online criminals.
Hacking communication tools
Just as enterprise employees leverage unified communications and other platforms to foster connections and collaboration, so too do hackers require platforms to support their nefarious activities. As many cyber criminals treat these processes as a job, it’s not surprising that they’d find their own ways to communicate with others in the hacker realm.
As noted, Telegram wasn’t the first platform to be utilized in this way. Earlier this year, our Trend Micro researchers reported on this dangerous trend, noting that Facebook Messenger and others had also been leveraged in a similar way.
“A simple Google search for ‘hack messaging apps’ brings up more than a million hits, the first of which are how-to guides for targeting these applications and infiltrating them in order to steal information,” wrote Christopher Budd of Trend Micro’s Global Threat Communications.
With easily accessible details like this, it’s no surprise that hackers are increasingly turning to legitimate messaging platforms to support their malicious purposes.
WhatsApp blazes a trail for Telegram in Brazil
While programs like Facebook Messenger are the most popular in the United States, WhatsApp also gained a number of active users here and around the globe. Recently, though, users in Brazil have flocked to Telegram, a similar messaging platform. Telegram became a popular alternative for WhatsApp, particularly after Brazilian authorities issued a court order demanding that telecommunication providers prevent users from connecting with the platform. This order was the result of a standoff with WhatsApp creators, after program administrators refused to allow access to the platform to federal criminal investigators.
While many of WhatsApp’s 93 million legitimate users transitioned to Telegram, so too did a number of cyber criminals working to follow potential victims.
“While old crimeware remain the same, we observed that these young and brazen cyber criminals (two words that aptly describe the Brazilian cyber criminals of today), have switched communication platforms,” our Trend Micro researchers wrote in a TrendLabs Security Intelligence blog post. “After the temporary shutdown of WhatsApp last December, cyber criminals changed messaging tools to avoid unwanted attention from law enforcement agencies.”
Why Telegram?
With so many other messaging applications at their disposal, we at Trend Micro began to wonder what made Telegram such an attractive prospect for Brazilian cyber criminals. After investigating, we discovered a number of reasons why the hacker community centered around Telegram as opposed to other platforms, including:
- Cloud-based architecture: Similar to nearly every other messaging app today, Telegram uses a cloud-based architecture for functionality. This allows both legitimate users as well as hackers to access the platform from any device with internet access, making communication much easier – particularly within the cyber criminal underground.
- File sharing: Telegram doesn’t just allow for secure communication. The app also allows users to share different types of files, including those of up to 1.5 GB. In this way, hackers can connect and more easily share information with one another.
- Self-destructing chats: Telegram also includes certain security features like self-destructing chats that are particularly attractive to hackers. Here, users can make a message available for a specified period of time before it is deleted – similar to Snapchat.
- Group chats: In addition to one-on-one communication, Telegram also supports secure group chats, enabling a large number of users to take part in a single conversation. As hacking rings and more organized cyber criminal organizations continue to be established, this capability is key to their malicious practices. In fact, up to 5,000 members can collaborate within a single group message.
While these are no doubt attractive advantages to leveraging Telegram, perhaps the most intriguing to hackers is the platform’s ability to encrypt messages sent over the app’s network.
“[L]aw enforcement agencies can’t easily prove the illicit nature of cyber criminal transactions conducted via the service,” our Trend Micro researchers discovered. “In the course of doing research, we found two Telegram groups, with around 10,000 users in total, engaging in suspicious activities such as selling hacked accounts and credit card details, among others.”
A world of hacker activity
Stolen credit card details as well as hacked account credentials are some of the top products being peddled by cyber criminals on the platform currently. Our researchers discovered that many of these are currently being offered for free, and theorized that this allows a hacker to build up a reputation with the community before requiring a fee to be paid.
Phishing pages have also become an increasingly popular commodity – our researchers observed incredibly realistic-appearing phishing pages disguised as advertisements as well as Brazilian e-commerce stores.
Hackers have also increasingly been requiring proof of successful attacks and cracked accounts. In many cases, this takes the form of screenshots uploaded to the chat platform.
The young, savvy cyber criminal
One of our most surprising findings, though, was the type of criminal utilizing the application. Overall, many cyber criminals populating Telegram currently are likely under 20 years of age, and the majority are very probably just starting out their cyber criminal career, and are thus self-taught. As noted, there are numerous how-to guides and other materials available, enabling the population of hackers to grow every day.
“Brazilian underground players considered cyber crime as their lucrative job due to the quick monetary gains,” our researchers noted. “It doesn’t help that any aspiring cyber criminal can easily learn the ropes through a myriad of cyber crime training materials shared or sold underground or available in the Deep Web.”
Protecting in the age of hacked communication apps
As with nearly any threat, the first step toward protection is knowledge. As our researchers pointed out, it is not the fault of Telegram or its creator that the app is being utilized for malicious purposes – it is not the first victim of its kind and surely won’t be the last. However, when users are aware that these activities are taking place, they can take steps to ensure that their sensitive information is protected.
It’s also critical to observe security best practices when utilizing mobile devices. Multi-factor authentication, unique passwords and a schedule for changing these credentials can all be helpful in the fight against mobile malware.
“With the growing number of smartphone users in Brazil, it’s not surprising that the people behind the suspicious Telegram channels target mobile users, too,” our researchers pointed out.
Next steps
While Telegram is currently utilized by hackers, the fast-paced nature of the cyber criminal environment has taught us that this could very quickly change, particularly if law enforcement intervenes. Our researchers believe that just as hackers shifted from WhatsApp to Telegram, a similar change could take place in the near future as governing bodies and law enforcement officials look to partner with security researchers to prevent crime like this.
In the meantime, Trend Micro has notified Telegram of the activity that we have found. As this environment continues to develop and advance, it’s important that users look to protect themselves and are aware of the most recent threats as well as security best practices. Overall, it’s important to understand that hackers will continue to shift their approaches to remain undetected.