Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime
Fraudsters Use Telegram App to Steal Payment Card DataMalwarebytes: New Method Eases Theft of Information From Ecommerce Sites
Some fraudsters are now using the encrypted instant messaging app Telegram as a fast and easy way to steal payment card data from ecommerce sites, according to an analysis from Malwarebytes.
See Also: OnDemand | Understanding Human Behavior: Tackling Retail's ATO & Fraud Prevention Challenge
Researchers found hackers are using simple Base64 encoding strings in conjunction with a bot that is sweeping up the payment card information. The bot includes code that accesses Telegram to remove the payment card data. Base64 enables the payment card data to be taken without security tools picking up the theft, according to Malwarebytes.
While other cybercriminals have previously used Telegram to distribute malware and steal data - Juniper Threats Labs chronicled one group's ability to deliver a Trojan this way in September 2019 - hackers only recently have attempted to skim payment card data from ecommerce sites using Telegram, Jerome Segura, director of threat intelligence at Malwarebytes, notes in the report.
"For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders," Segura says. "They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets."
Segura notes in the report that security researcher "AffableKraut" first took notice of the use of Telegram to skim payment card data in August and posted about it on Twitter.
From there, the code uses a debugging feature to avoid detection and begins to copy victims' payment card data, such as billing and payment information, card number, expiration date and CVV code from the various checkout fields, according to the report.
"The exfiltration is triggered only if the browser’s current URL contains a keyword indicative of a shopping site and when the user validates the purchase," Segura notes in the report.
When a shopper enters payment information on an ecommerce site, that information is transferred to a payment processor, as usual, but a copy is sent to the fraudsters, according to the report.
By using Telegram, hackers don't have to take the time to set up a command-and-control infrastructure and can quickly collect the payment card data and use it to purchase goods or sell it on underground forums, the report states. This method also helps fraudsters avoid detection.
Blocking this type of attack is difficult, Segura notes. While ecommerce companies can cut access to Telegram channels on the network level, the cybercriminals can then switch to another type of secure platform to help with the skimming.
In another report released this week, security firm Group-IB described the activities of a criminal hacking group called "UltraRank," which has been skimming credit card data for nearly five years and then selling that data on its own carding market. The analysts found that many attacks attributed to various Magecart groups over the years were actually the work of these hackers (see: 'UltraRank' Gang Sells Card Data It Steals).