Telegram messenger app on the screen of a smartphone showing phishing attacks using Telegram bots

Phishing Attacks Actively Using Alternative Exfiltration Methods Including Google Forms and Telegram Bots

Cyber intelligence firm Group-IB says that cybercriminals frequently use legitimate services to collect stolen data from exploit kits during phishing attacks.

The hackers frequently used Google Forms and Telegram bots with admin panels offered as cybercrime-as-a-service to manage the phishing processes.

The researchers noted that the use of these services led to more hackers conducting more sophisticated attacks.

Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed several phishing kits used to generate phishing web pages for compromising online services and email clients.

Group-IB Computer Emergency Response Team’s key findings

Group-IB noted that cybercriminals mostly targeted online services such as tools to view documents, online shopping, streaming services, with such attacks accounting for 30.7% of malicious activity. By targeting online accounts, the hackers could steal linked bank accounts, according to Group-IB.

Phishing attacks frequently targeted over 260 popular brands, including Microsoft, PayPal, Google, and Yahoo.

Email accounts dropped in popularity as the second most preferred target, accounting for 22.8% of the phishing attacks.

Financial institutions emerged as the third most popular targets, with about 20% of all phishing attacks directed at them.

Phishing attacks frequently using Google Forms and Telegram bots to collect stolen data

The researchers found that email remained the most popular method of exfiltrating data on phishing websites accounting for 94.3%.

About two-thirds (66%) of the phishing attacks preferred using free email services, with Gmail and Yandex being the most popular email providers.

However, the researchers observed a new trend involving Google Forms and Telegram bots to collect stolen information from phishing kits.

“Cybercriminals actively use legitimate services to obtain compromised data. A new trend recorded over the reporting period was the use of Google Forms and private Telegram bots to gather stolen user data.”

These alternative methods of collecting stolen data from phishing kits accounted for just 5.7%. However, CERT-GIB researchers predicted that these methods would continue to rise as attackers adopted more reliable methods.

The use of Telegram showed more growth potential because the app was very user-friendly and anonymous.

Some phishing kits such as 16shop included this option early in 2019. At least 40 cyber gangs used phishing-as-a-service infrastructure integrated with Telegram bots to collected stolen information. Similarly, Facebook’s 533 million users’ data were was sold through a Telegram bot.

Rise of phishing automation

Cyber attackers also used automation to replace blocked phishing websites allowing them to carry large-scale and complex phishing attacks. The new trend makes the traditional methods of blocking phishing attacks less effective.

Additionally, the alternative methods were more reliable than email addresses that could be blocked or hijacked.

Attackers also stored stolen information in a local file in the phishing resources or kits. This method was the most prevalent among the alternative methods accounting for 2.6% of exfiltration methods. Remote servers accounted for 1.6%, Telegram bots 0.8%, and MySQL databases at 0.6%.

“As technology improves to stop phishing emails from bypassing secure email gateways (SEG) and users become more aware of spotting phishing emails, cybercriminals work to find new ways to obtain information from victims,” says James McQuiggan, security awareness advocate at KnowBe4. “Using web forms that look normal and valid to users, they believe they’re entering information to win a new car or a chance to win a dream vacation, when in fact, they are giving up personally identifiable information (PII).”

Group-IB researchers found that #cybercriminals actively employed alternative methods like Google Forms and Telegram bots to collect data during #phishing attacks. #cybersecurity #respectdata Click to Tweet

McQuiggan advises users to apply the “if it’s too good to be true, it usually is” rule to defeat social engineering exploits relying on online forms and Telegram bots.