Collect Phished Credentials

Cybercriminals are increasingly using legitimate services such as Google Forms and Telegram to gather user data stolen on phishing websites. Alternative ways to collect data help cybercriminals keep it safe and start using the information immediately.

The researchers at cybersecurity company Group-IB noticed that more of these tools allow collecting stolen user data using Google Forms and Telegram.


Group-IB’s Computer Emergency Response Team (CERT-GIB) analyzed the tools used to create phishing web pages (phishing kits) and discovered that, in the past year, they were most often used to generate web pages mimicking online services (online tools to view documents, online shopping, streaming services, etc.), email clients, and traditional financial organizations. Last year, Group-IB identified phishing kits targeting over 260 unique brands.

A phishing kit is a toolset that helps create and operate phishing web pages that mimic a specific company or even several at once. Phishing kits are usually sold on underground forums on the darknet.

The use of Telegram is not new as operators turned to the service due to it being anonymous and easy to use. The notorious phishing kit 16Shop had this option back in 2019. A scam-as-a-service operation used by at least 40 cybercriminal gangs to impersonate popular classifieds, also relied on Telegram bots to provide fraudulent web pages.

Sending stolen data collected from a phishing site to Google Form is done through a POST request to an online form whose link is embedded in the phishing kit.

Devs double-crossing Buyers

The experts observed that the authors of phishing kits had been double-dipping to improve their earnings by including code that copies the stream of stolen information to their community host.

Group-IB explained that one way is by configuring the “send” function to deliver the information to the email provided by the buyer of the phishing kit as well as a “token” variable associated with a hidden email address.

The POST request from scripts responsible for sending out the data also initializes the “token” variable. Decoding the data from “token” shows that the developer associated two email addresses for its value.

The main target for cybercriminals was online services (30.7%). By stealing user account credentials, hackers gain access to the data of linked bank cards. Email services became less appealing last year, with the share of phishing kits targeting them dropping to 22.8%.

Financial institutions turned out to be the third favourite among scammers, with their share totalling above 20%. In 2020, the brands most often exploited in phishing kits were Microsoft, PayPal, Google, and Yahoo.

“Phishing kits have changed the rules of the game in this segment of the fight against cybercrime. In the past, cybercriminals stopped their campaigns after the fraudulent resources had been blocked and quickly switched to other brands. Today, they automate their attacks and instantly replace the blocked phishing websites with new web pages,” comments CERT-GIB Deputy Head Yaroslav Kargalev.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.