Reading:
Telegram: A New Place for Hackers

Telegram: A New Place for Hackers

March 24, 2022

One of the most commonly used messaging apps, Telegram, has become more and more popular ever since the privacy policy scandal of WhatsApp in January 2021. WhatsApp announced that they have been sharing their customers’ sensitive data with Facebook for a couple of years, which created turmoil in WhatsApp users. People have been searching for an alternative for WhatsApp, and they have decided to switch to other messaging apps such as Telegram.

Telegram’s Increasing Popularity

Even though Telegram only encrypts messages in communication between your device and its servers by default (you can manually enable end-to-end encryption), Telegram is known for its safety and encryption policies. App has around 500 million active users, and more than 100 million people have downloaded the app in 2021.

Telegram’s popularity also attracted hackers’ attention, and it became the main hub for threat actors. The fact that Telegram is a legit messaging app used by millions gave hackers the chance to conceal themselves and achieve their evil deeds. 

Utilizing Telegram to Perform Malicious Activities 

Hackers have been using Telegram to carry out various malicious tasks. Below, you can see the most common ways threat actors utilize the app. 

Sharing Stolen Databases

Telegram Data Leak Incident Card Created by SOCRadar.
Telegram Data Leak Incident Card Created by SOCRadar.

Typically, threat actors tend to sell data dumps in hacker forums inside the Dark Web. They put up the databases to auction and try to make as much money as possible by selling the dump to the highest bidder. After selling the data dump or failing to do so, they sometimes opt to share the information openly and post the leaks on hacker forums, Pastebin, and Telegram. SOCRadar tracks and monitors Telegram groups hackers mainly use and detects data leaks your organization suffers. Below, you can see a screenshot of a Telegram data leak incident detected by SOCRadar.

Communicating with Other Hackers

Threat actors have also been using the app to chat with other people. However, we see that hacker channels go beyond the intended usages by performing malicious activities. Hackers discuss tactics, techniques, and procedures (TTPs) to perform cyber attacks, new emerging vulnerabilities and zero-days, important cybersecurity events and news, and many other subjects to be up-to-date in the cybercrime sector. They also utilize Telegram to communicate with potential buyers of database sales posted on hacker forums on the dark web. We see that the app has been a primary communication platform for threat actors. Below, you can see two example posts in hacker Telegram channels, one a cybersecurity news post and the other one advertising a private data leak channel.

A Post in Cybersecurity News Hacker Channel on Telegram.
A Post in Cybersecurity News Hacker Channel on Telegram.
Private Data Leak Channel Advertisement in a Telegram Hacker Channel
Private Data Leak Channel Advertisement in a Telegram Hacker Channel

Telegram Bots: Automating Malicious Activities 

Telegram bots offer hackers a broad range of possibilities in automating malicious tasks. For example, we have seen that with the help of Artificial Intelligence, some bots perform sophisticated social engineering attacks by impersonating banks and companies to steal and capture OTP and SMS codes from their victims. In particular, OTP-Bot, a well-known malicious Telegram bot, claims %98 success rate on their OTP capturing attacks, a near-perfect success rate. Below, you can see a sample screenshot showing successful OTP-Bot attacks.

A Successful OTP-Bot Attack 
A Successful OTP-Bot Attack 

We also see that Telegram is being used as an infection vector through automatized bots to deploy malware. Some of these malware grants threat actors access to the victim system through the Command and Control (C2) server.

Faulty Feature: “People Nearby” 

Another feature hackers exploit in Telegram is called “People Nearby.” This feature lets users see the precise locations of nearby people who have turned this feature on (the feature is off by default). However, this feature has a security flaw since threat actors can abuse it by spoofing their geolocation and accessing the precise locations of innocent people. Every bit of information is significant in the cybercrime sector, so this security flaw can give threat actors the upper hand in achieving their malicious intentions

When addressed with this security flaw, Telegram developers chose to turn a blind eye to this matter, but the solution is simple. SOCRadar CTIA team suggests users turn this feature off to protect their privacy against hackers.

Find Out What’s Happening In Telegram Hacker Channels

With the ThreatShare module in the Cyber Threat Intelligence suite offered by SOCRadar as part of its Extended Threat Intelligence approach, you can regularly monitor the Telegram channels of threat actors.

You can easily monitor threat actor activities with SOCRadar’s ThreatShare module.
You can easily monitor threat actor activities with SOCRadar’s ThreatShare module. 

Threat Share’s CyberSec News module delivers the most relevant news about products and technologies automatically discovered in your digital assets. On the other hand, DarkMirror shares important agendas in deep and dark web forums, social media, and communication channels such as Telegram and ICQ with screenshots and texts.

Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets. Get free access