Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

Fraudsters Use Telegram App to Steal Payment Card Data

Malwarebytes: New Method Eases Theft of Information From Ecommerce Sites
Fraudsters Use Telegram App to Steal Payment Card Data
Here's a diagram of a credit card skimmer attack using Telegram. (Source: Malwarebytes)

Some fraudsters are now using the encrypted instant messaging app Telegram as a fast and easy way to steal payment card data from ecommerce sites, according to an analysis from Malwarebytes.

See Also: Mobile Apps are the New Endpoint

Researchers found hackers are using simple Base64 encoding strings in conjunction with a bot that is sweeping up the payment card information. The bot includes code that accesses Telegram to remove the payment card data. Base64 enables the payment card data to be taken without security tools picking up the theft, according to Malwarebytes.

While other cybercriminals have previously used Telegram to distribute malware and steal data - Juniper Threats Labs chronicled one group's ability to deliver a Trojan this way in September 2019 - hackers only recently have attempted to skim payment card data from ecommerce sites using Telegram, Jerome Segura, director of threat intelligence at Malwarebytes, notes in the report.

"For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders," Segura says. "They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets."

Segura notes in the report that security researcher "AffableKraut" first took notice of the use of Telegram to skim payment card data in August and posted about it on Twitter.

A purchase where credit card data is stolen and exfiltrated (Source: Malwarebytes)

Malicious JavaScript

The Malwarebytes report notes that the theft of the payment card information typically starts with hackers planting malicious JavaScript code on ecommerce sites to collect customers’ payment information.

From there, the code uses a debugging feature to avoid detection and begins to copy victims' payment card data, such as billing and payment information, card number, expiration date and CVV code from the various checkout fields, according to the report.

In the majority of skimming attacks, which do not leverage Telegram, the payment card data is stored within a domain or file controlled by the attackers and then exfiltrated using a command-and-control infrastructure that communicates with the JavaScript code. But the attacks leveraging Telegram use encryption in conjunction with a Telegram channel to create a faster and more efficient exfiltration process.

"The exfiltration is triggered only if the browser’s current URL contains a keyword indicative of a shopping site and when the user validates the purchase," Segura notes in the report.

When a shopper enters payment information on an ecommerce site, that information is transferred to a payment processor, as usual, but a copy is sent to the fraudsters, according to the report.

By using Telegram, hackers don't have to take the time to set up a command-and-control infrastructure and can quickly collect the payment card data and use it to purchase goods or sell it on underground forums, the report states. This method also helps fraudsters avoid detection.

Blocking this type of attack is difficult, Segura notes. While ecommerce companies can cut access to Telegram channels on the network level, the cybercriminals can then switch to another type of secure platform to help with the skimming.

Magecart Activity

Javascript skimming attacks are usually associated with Magecart, an umbrella description for separate groups of cybercriminals that use JavaScript skimmers to steal payment and credit card data from customers of ecommerce sites (see: Magecart Group Hits Small Businesses With Updated Skimmer).

In another report released this week, security firm Group-IB described the activities of a criminal hacking group called "UltraRank," which has been skimming credit card data for nearly five years and then selling that data on its own carding market. The analysts found that many attacks attributed to various Magecart groups over the years were actually the work of these hackers (see: 'UltraRank' Gang Sells Card Data It Steals).


About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.