As part of the mobile and social media revolution, the Telegram messaging app has experienced significant growth, adding 350,000 new users daily. The platform has been widely adopted globally and is available in 13 languages.
Fraudsters turn to Telegram Bots for cybercrime automation
The Telegram app allows users to create groups with up to 30,000 members and share files and documents of nearly any type. It even allows bots to be set up for specific tasks. Due to its rich feature set and rapid adoption, Telegram has become a sought after tool on the fraud scene.
Until recently, fraudsters mainly utilised Telegram groups and channels to organise their communities. Groups can be best described as chat rooms in which all members can read, comment and post.
This is where fraudsters advertise, connect and share knowledge and compromised information, much like the role forums play on the dark web. Channels, on the other hand, are groups in which only the administrator is authorised to post and regular members have access to view, similar to blogs. Fraudsters mainly use Telegram channels to advertise fraud services and products in bulk.
Telegram bots are a new popular feature allowing third party apps to run within the platform. Bots enable users to enhance the messaging experience. Legitimate uses of Telegram bots include automatic file converters, daily weather or horoscope notifications, management of to-do lists and more.
Recently, RSA has witnessed a surge in the use of the Telegram bot feature by fraudsters to facilitate and automate their activities. Some provide automated tools for common actions conducted by fraudsters, whereas others provide actual fraud services via online stores. Below, we will explore examples of the different types of fraud Telegram bots available today as well as Fraud-as- a-Service offerings that are helping this phenomenon spread.
TELEGRAM BOTS @WALL_STREET_STORE_BOT
Wall Street Store Bot is a credit card store on Telegram which started off as a command-only bot and has since added user-friendly buttons that allow fraudsters to receive information on balance, purchase history and more.
The most valuable is the “Available Cards” button which allows fraudsters to download a file, either HTML-based, PC-compatible or a text-based, mobile-compatible version, containing all cards available on the store. The card details are displayed in a table with filter options, similar to what we typically see in traditional credit card stores. Customers copy the card IDs they are interested in and enter them in the bot chat to complete the purchase.
Like any respected credit card store, Wall Street Store Bot also includes a credit card checker, an auto-refund system, a user ranking system to encourage purchases and a user-specific Bitcoin wallet to add funds. In addition to the bot itself, the store operates a separate 24/7 support channel in English and Russian, which is used both as a customer service platform and a channel to post news and updates about the store and its available card database.
@BANKERROBOT
Banker Robot is the official bot of the highly-popular @PerfectCarders channel in the Brazilian Portuguese-speaking fraud community. It is a general purpose bot which allows easy access to tools and information often required by fraudsters in their day-to-day activities. When typing the /tools command, the user is presented with various free automated services, including the retrieval of proxy/Socks5/RDP lists, generators of fake PII and banking information. Additional lookups include BINs, IP addresses and ZIP codes, current values of cryptocurrencies and validation of credit card numbers.
@MRBANKERBOT
MrBanker Bot is another bot from the makers of @PerfectCarders, and its main features include the sale of credit cards and access to “Spectrum Checker,” the official credit card checker of the channel. A weekly subscription goes for R$60 (~$16USD) or a monthly subscription for R$250 (~$65USD).
@SALEBHFBOT The BHF
Sale Bot first appeared in February 2018 and is geared to allow easy searches for listings on the prominent Russian hacking forum BHF. The search categories include:
- Exchange
- Debit Cards, Wallets, Sim
- Sale of Private Software
- Proxy, Socks, Dedicated Servers, VPN
- Selling Accounts, Coupons
- Looking for a Specialist
- Looking for Work
ROSKOMNADZOR SERVICE (@RSKMBOT)
Roskomnadzor is a renting service for Telegram bots and online webstores, offered by Russian-speaking fraudsters to the fraud community. The service has an official website and a number of Telegram channels for customer service, technical support and news and updates (which even provides coupons!) and is frequently advertised in highly-regarded fraud forums and marketplaces.
Orders are made via a dedicated Telegram bot where customers can choose a plan out of the following options: “White Thematic” for $6 per month Permitted Items: accounts of any type, credit cards, IDs, virtual wallets, counterfeit or stolen documents (e.g. passports, certificates, insurance) Prohibited Items: the bot’s control panel, extremist material, explosives, weapons, drugs, radioactive substances, gambling equipment, and more “Black Thematic” for $80 + 1% of the turnover per month Permitted Items: the sale of any goods is allowed including hardware (such as skimmers), illegal substances and more Prohibited Items: the bot’s control panel and extremist material.
Advantages of the service include:
- Free replacement in case of blocking
- Personal “bulletproof” server
- Full traffic encryption (for anonymity)
- Detailed statistics on the number of users, goods sold, and categories
- Coupons and discounts
- Uninterrupted server availability
- Integrated cryptocurrency payment reception system
- Intuitive design of the control panel
- Online webstore with a domain as a gift when renting a Telegram bot
The service also offers a demo store bot (@Lease24Bot) and a demo webs
Conclusion
RSA first reported on the growth of global cybercrime on social media back in 2016 which studied over 500 fraud groups across Facebook. In 2018, RSA released a follow-on report highlighting the spread of cybercrime to other social media platforms, including Telegram.
This trend continues to evolve, with Telegram gaining momentum and preference as a “one stop shop” for fraudsters. The use of Telegram bots not only demonstrates the continued growth of social media and other popular platforms by cybercriminals for illicit activity, but also the use of advanced technologies such as AI to automate their businesses.
Telegram bot stores possess several significant benefits for fraudsters. Not only do they eliminate the need to register a host and domain, all the typical security challenges that may impact a website, DDoS attacks perhaps most notably, become irrelevant.
The use of the Telegram platform also eliminates fraudsters’ need to protect and hide their website from law enforcement. While the implementation of Telegram bots in the fraud context is relatively new, we expect this trend to gain more momentum in 2019. RSA’s intelligence analysts will continue to monitor this and other social media platforms and advise the public accordingly as new fraud threats emerge.
The post Fraudsters turn to Telegram Bots for cybercrime automation appeared first on Payments Cards & Mobile.
