Contact us
Request demo →
Contact us

Using Telegram monitoring to enhance your attack surface management

by Rosa Jong Blog 7 Apr 2022

For several years illicit actors have been switching from the dark web to Telegram. One of the reasons for this change is that several dark web forums have been shut down by law enforcement. With fewer marketplaces to offer their goods and services, online criminals were forced to look for new platforms to reach their customers.

Telegram is a chat app that is similar to WhatsApp but offers more privacy, since users can choose to hide their phone number. This platform also makes it easier to bring people together, as creating and populating a new chat group can be done in a few clicks. Because of this the bar is set low for people to get into the groups and see the various offers for goods and services, as Telegram is a well-known app and groups are promoted on various platforms.

Due to its anonymity and popularity amongst illicit actors, organisations struggle with potential (illegal) distribution of (fake) goods and insider threats to their brand.

A positive element to the shift to Telegram is that this application is easier to monitor for illegal activities. Real-time monitoring of various (public) groups can help organisations rapidly detect data breaches or malicious campaigns being set up. Knowing where and in which context your organisation is mentioned on Telegram allows cyber security professionals to take an adequate and timely countermeasure.

Telegram monitoring by Cybersprint

Telegram monitoring can be especially valuable if you are responsible for the cyber security, Intellectual Property or brand protection of an organisation. Over the period of one year, Cybersprint has monitored and analysed Telegram data by looking through various public groups.

What started as an analysis of two dozen groups, grew into a report of approximately 8 million messages. This growth was possible since as new groups were created and shared within the initial groups, they were automatically added to the master list and the chat messages therein monitored, respectively.

To gain insight into the nature of illicit activities taking place via Telegram, we divided the data into 3 sectors:

  • Financial,
  • Retail,
  • Food and beverage.

For each of these categories we chose three organisations that will remain anonymous for privacy reasons. These companies can be segmented into small, medium and large organisations, based on the revenue generated and number of employees.

Financial Sector

In finance, there is a large demand for low-level criminals such as money mules, who are used in money laundering. These ‘mules’ receive a sum of money from illicit actors and transfer it to another account, either digitally or in cash. Many of the mule job offerings analysed bid thousands of Euros for a job, which makes it a lucrative opportunity for some.

The messages aimed at recruiting fresh mules are specifically targeted at a younger audience and there are similarities in the way they address their targets. Slang, emojis and the same promises are consistent throughout. The promise of quick and easy money, especially during the pandemic, was used to convince impressionable youngsters to work as money mules.

Besides money mule recruitment, there is an extensive offering of phishing panels and stolen credit cards for sale. There is also a demand for people with a registered company willing to whitewash some credit. Companies registered for at least 1-2 years are preferred, as this would be deemed less suspicious to authorities.

A much smaller, but still interesting, category is focused on the next generation. Hackers and scammers are calling for smart youngsters willing to learn their craft. They offer lessons and guidance and most importantly; promises to make a lot of money. Telegram almost seems like a job board specifically for cyber-criminal recruitment.

telegram_graphMost messages (64%) were related to money mules. The second largest category is the offering of phishing panels (28%). What is striking about this specific category is that the percentage of offers is highest for the larger organisations and seems to decrease as the size of the organisation decreases. A mere 0.3% of messages were focussed on recruiting people to learn to hack or scam.

Retail Sector

The retail sector has the highest differences among the companies that were analysed. A company is either a target or it is of little interest to scammers and criminals. Out of the three segments, medium-sized companies receive the most attention. Smaller and large organisations were only targeted by a small number of illicit actors. A possible explanation for this is that medium-sized retail organisations sell products in a higher price category as this offers the most return.

Most Telegram messages related to the retail sector were not related to (cyber)crime. Of the messages that were related to illicit activities (38%), the majority were related to (fake) coupons or user accounts for sale. We did not verify whether the user accounts were legitimate and belonging to that company, but if so, this would be a strong indication of a data breach.

Food and Beverage

This was probably the most innocent category as most messages were not related to any illicit activity or crime. In this sector, merely 16% were advertisements for fake coupons.

The reason why a relatively high percentage of these messages were not illicit, is partly because users had the name of a food or beverage company in their username. This means that they didn’t specifically refer to the company but were simply using their brand name. Their messages were also not related to the companies but mostly to drug distribution.

One notable finding (pictured below) was that an alleged employee was doxed and accused of grooming a minor. His photos and approximate address have been shared in multiple groups, with the request to find this individual.


How can monitoring Telegram be of value?

Telegram, just as many social media platforms and chat apps, have their niche audiences and broad commercial circles. Analysing the data and dividing it based on their targets and ease of entry, it seems that the area aimed at recruiting newcomers into the ‘dark side’ is relatively large and widespread. Telegram can serve as an easy entrance into various criminal activities, especially since many of these groups are publicly accessible.

Our quantitative analysis is meant to give you an overview of what is happening on Telegram and the potential impact on organisations. The practical value is in the real-time monitoring of relevant messages.

If there is a new campaign of fake goods or coupons imitating your brand, you probably want to know and prepare accordingly. When your monitoring shows that there are offers for user accounts for sale, it may be an indication of an undetected breach. In the search for money mules and similar financial crimes, locations are sometimes shared. This can be very useful for investigations and spotting trends in behaviour. Offers of stolen data and goods such as payment cards, sometimes show customer data.

Cybersprint’s Telegram monitoring allows organisations to get a real-time insight into how and where their brand is mentioned. Staying up to date of these activities gives you and your organisation the chance to gain more control of your organisation’s attack surface and thereby, protecting your brand.

Read our other article on tracking criminal activity using Telegram here.

Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us