Cybercriminal groups are constantly evolving to find new ways to steal financial information, and the latest trick in their arsenal is to leverage the Telegram messaging app to their advantage.
In what is a new tactic adopted by Magecart groups, encrypted messaging service is used to return stolen payment details from compromised websites to attackers.
“For threat actors, this data exfiltration mechanism is effective and does not require them to maintain an infrastructure that could be removed or blocked by defenders,” Jerome Segura of Malwarebytes said in a statement. Monday Analysis. “They can even receive real-time notification for each new victim, which helps them quickly monetize stolen cards in underground markets.”
TTP was first documented publicly by security researcher @AffableKraut in a Twitter feed last week using data from Dutch cybersecurity company Sansec.
Injecting e-skimmers into shopping websites by exploiting a known vulnerability or stolen credentials to steal credit card details is a proven modus operandi of Magecart, a consortium of different hacker groups who target online shopping cart systems.
But in recent months, they have stepped up efforts to hide card thief code in image metadata and even carry out IDN homograph attacks to plant web skimmers hidden in a website’s favicon file. .
What’s new this time around is the method of data exfiltration (such as name, address, credit card number, expiration and CVV) itself, which is done via an instant message sent to a private Telegram channel using a bot id encoded in the skimmer code.
“The fraudulent data exchange is done through Telegram’s API, which posts payment details in a chat channel,” Segura said. “This data was previously encrypted to make identification more difficult.”
The benefit of using Telegram is that threat actors no longer have to worry about setting up a separate command and control infrastructure to transmit the collected information, or risking the possibility of these domains being deleted or blocked by anti-malware services.
“Defending against this variant of a skimming attack is a bit trickier because it relies on a legitimate communications service,” Segura said. “We could obviously block all connections to Telegram at the network level, but attackers could easily switch to another provider or platform (as they did before) and get away with it anyway. ”