Hackers Use Google Forms and Telegram bots to Collect Phished Credentials

Cybercriminals are increasingly using legitimate services such as Google Forms and Telegram to gather user data stolen on phishing websites. Alternative ways to collect data help cybercriminals keep it safe and start using the information immediately.

The researchers at cybersecurity company Group-IB noticed that more of these tools allow collecting stolen user data using Google Forms and Telegram.

Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and traditional financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.

A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet.

The use of Telegram is not new as operators turned to the service due to it being anonymous and easy to use. The notorious phishing kit 16Shop had this option back in 2019. A scam-as-a-service operation used by at least 40 cybercriminal gangs to impersonate popular classifieds, also relied on Telegram bots to provide fraudulent web pages.

Sending stolen data collected from a phishing site to Google Form is done through a POST request to an online form whose link is embedded in the phishing kit.

Devs double-crossing Buyers

The experts observed that the authors of phishing kits had been double-dipping to improve their earnings by including code that copies the stream of stolen information to their community host.

Group-IB explained that one way is by configuring the “send” function to deliver the information to the email provided by the buyer of the phishing kit as well as a “token” variable associated with a hidden email address.

The POST request from scripts responsible for sending out the data also initializes the “token” variable. Decoding the data from “token” shows that the developer associated two email addresses for its value.

The main target for cybercriminals was online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%.

Financial institutions turned out to be the third favourite among scammers, with their share totalling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocked phishing websites with new web pages,” comments CERT-GIB Deputy Head Yaroslav Kargalev.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Top 10 Best SOC Tools In 2024

An organization's SOC (Security Operations Center) monitors and analyzes network, system, and data security. The…

53 mins ago

25 Best Managed Security Service Providers in 2024

A Managed Security Service Provider (MSSP) offers a wide range of services, from network security…

16 hours ago

New Satanstealer Malware Steals Browser Cookies and Passwords

A new malware named "Satanstealer" has been identified, targeting browser cookies and passwords. The discovery…

17 hours ago

Microsoft Unveils Ways To Detect Compromised Devices In Your Organization

Microsoft has announced a new way to spot potentially hacked machines in your organization.  Analysts…

17 hours ago

New ScriptBlock Smuggling Attack Let Ackers Bypass PowerShell Security Logs And AMSI

Ever since the introduction of PowerShell v5, there have been less usage of the application…

18 hours ago

Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of…

20 hours ago