The second blog in our series on the messaging application Telegram looks at the sale of stolen data in the form of “logs” and “fullz”, methods for bypassing MFA, and services to help cybercriminals “cash out”.
stolen data for sale on telegram
As established in the first blog in this series, the messaging app Telegram is used by cybercriminals for the sale of a number of illicit goods and services.
One of the most prevalent is the sale of stolen personal information on Telegram channels in the form of “logs” or “fullz”. These slang words refer to an individual’s complete personal information, which typically includes bank account data, usernames and logins, payment card numbers, CVVs and expiration dates, social security numbers, government IDs, addresses, any other information the attackers may be able to collect. The screenshot below, for example, shows the logs for sale for one individual on the for 300 USD.
Often this information is stolen through phishing sites, as outlined in our previous blog, but there are other methods that cybercriminals use such as information-stealing malware (infostealers), botnets, social engineering, or database theft.
Of course, the cybercriminals who conduct these attacks could use this information themselves to gain access to the victims’ bank accounts and take their money. However, the thriving markets for logs and fullz on Telegram and hacking forums demonstrates that often this part of the attack is left to completely different criminals who have other skills. This speaks to the maturity of the cybercrime market, where the sale of personal information is effectively commoditized to the point that criminals can have a lucrative enough business re-selling data without conducting the actual fraud themselves.
Accessing Bank Accounts
For the criminals who are in the business of using logs and fullz, a common hurdle they have to overcome is how to bypass the multi-factor authentication (MFA) security measures that most banks enforce. Once again, actors in Telegram channels offer solutions for fraudsters to purchase.
One method that is advertised is a One Time Password (OTP) bot, an automated system that will call the victim impersonating a bank representative and ask for the code to be typed in via the phone’s keyboard. If successful, the attacker obtains the code and can immediately access the account, sometimes asking for multiple codes in order to change the password or initiate a password change. In the example below, buyers can rent the bot on a daily, weekly, or monthly basis:
An alternative method for bypassing MFA advertised on Telegram is SMS spamming, where a message is sent to victims asking them to enter their code into a fake page controlled by the fraudster. The example below is a “bulk” service, which means that a huge list of victims will be targeted to increase the chance of someone entering the details into the link:
Finally, one of the most sophisticated methods of bypassing MFA advertised on Telegram is SIM swapping services. SIM swapping involves cloning a victim’s SIM card, meaning that phone calls and messages can be intercepted. This method is more reliable than techniques such as SMS spamming, which can be thwarted by the OTP request timing out, but requires more resources and effort. Of course, there are specialized services offered by actors on Telegram that make this job easier in exchange for a flat fee or a percentage of the stolen funds:
Orchestrating SIM swapping attacks often requires a telecommunications company representative to approve the process and we also observe discussion and advertisement of these insiders on Telegram groups. The slang word “inny” is often used to discuss insider services:
When access to a compromised bank account is obtained, the next step is to transfer the available funds to an account controlled by the attacker. Banks have security measures to stop this from happening but – once again – these measures can be bypassed with help from an insider working at a bank. For example, bank employees can temporarily increase wire transfer limits and approve transactions. This activity is risky but the insider is compensated with a flat fee or a percentage of the stolen funds. These bank insiders are advertised on Telegram:
The stolen funds are transferred to bank accounts opened by actors with stolen or fake identities, sometimes employing mules to open the accounts and pass verification in-person by physically going to a branch of the bank. Payment cards are then used to retrieve the money from ATMs.
Cryptocurrency accounts are also used to cashout on stolen funds, but these also require verification with an identity document. The accounts used by the actors to receive funds are known as “drops” and are also offered on Telegram channels:
Monitoring for Insider Threat
The SIM swapping and cashing out services on offer on Telegram both speak to the risk of insider threat for telecommunication and banking organizations. Knowledge of this activity taking place on Telegram can help security teams to establish if someone in their organization is compromised and provide intelligence that can be used as part of an internal investigation. However, often the activity on Telegram is just the tip of the iceberg – a fraction of the activity that takes place in the wider cybercriminal ecosystem.