Telegram is increasingly being used by cybercriminals to set up clandestine channels to sell stolen financial information to pseudonymous users.
Telegram is a free, cross-platform instant messaging service that offers end-to-end encrypted communication, currently having a user base of over 500 million active users.
Because the platform follows a loose moderation approach, censoring only extremist content, cybercriminals find it reasonably easy to abuse it to further their nefarious goals.
It’s also much easier to set up a Telegram channel to sell stolen data than to create a new dark website, and often much easier to promote and attract a wider audience of interested buyers.
Finally, since Telegram channels are more volatile and short-lived than dark web markets, they might be safer for criminals to use because they are harder to track and correlate online personas with real identities.
A permanent concern
Cybersixgill researchers released a report based on data they collected throughout 2021 and concluded that while the sale of financial accounts on Telegram has declined in volume, it remains a stable issue.
When compiling the report, researchers filtered bot spam and focused only on high-quality data, such as listings containing specific keywords related to money laundering and financial account sales.
Cybersixgill analysts believe the reason for the steep 60% drop from 2020 is the overall reduction in newly issued credit cards during the pandemic.
“This sharp drop in discourse surrounding compromised accounts from 2020 to 2021 may seem remarkable, but it is not an isolated event; a parallel decrease was also identified in the total number of compromised credit cards sold in underground markets throughout the same period,” the researchers explain in their report.
“In our Underground Financial Fraud Report for the first half of 2021, we attributed this decline to the closure of several credit card markets (either enforced by law enforcement or as a result of the ‘retirement’ threat actors), ongoing trends towards contactless payments have accelerated during the pandemic, and the overall reduction in newly issued credit cards.”
Another factor that may have played a key role is the general decline of the carding space and the shift in focus from cybercriminals to the much more prolific ransomware operations.
PayPal represents the most bartered object
The leader in the number of ads on these channels is PayPal, followed by Chase and Western Union.
Account takeovers on PayPal are a direct way to drain other people’s funds, and thanks to the platform’s popularity, it’s easy to shop online with it on almost any site.
Cybersixgill explains that for most compromised PayPal accounts, buyers use them to buy hard-to-trace cryptocurrency, essentially laundering the money.
On this front, cybercriminals are also offering money transfer services directly on Telegram, helping actors conceal the origin of stolen funds.
Credit cards continue to be sold
Although at a smaller volume, credit cards are also offered on Telegram channels, with around half of them including the very valuable CVV/CVV2 codes needed to verify online purchases.
Prices range from $10 to $1,500 per card, depending on bank account balance and data “freshness”.
If the owner didn’t realize their credit card details were breached, there is no risk of being reported to the bank, so the ad price is higher.
At least that’s how things theoretically work, because scams are always found among genuine ads.
Finally, there are dedicated Telegram channels that also sell bank logs (IDs), which can also be used for electronic withdrawals.
The above is only a small part of cybercriminal activity on Telegram channels, with other activities such as identity theft, fraud, network access, stolen database and many more. ‘others.
Anonymity in Telegram is tied to the phone number used during subscription, so if actors have acquired the SIM card without providing any real identifying details, they become difficult to track and catch.
We’ve reached out to Telegram to ask for a comment on the abuse and what they plan to do about it, but haven’t received a response yet.