Telegram Channels Offer Great Anonymity and Are Being Increasingly Used by Cybercriminals
Serious criminals are abandoning the upper levels of the dark web. The reasons appear to be the relative ease with which such criminal forums are penetrated by law enforcement agents and security researchers — and the recent shut-downs of major criminal forums Hansa Market and AlphaBay.
Last month, Cybereason tested this idea, and concluded that serious criminals have migrated to the deeper, closed forums of the dark web. Published yesterday, researchers from Check Point now postulate an alternative destination for these criminals; that is, not to deep, dark, Tor-hidden forums, but to Telegram.
Telegram is an encrypted instant messaging system first released in 2013. Like WhatsApp, it offers individual conversations and group chats — but what sets it apart is its security strength and end-to-end encryption. “As a result, some of its hosted chat groups have become a useful alternative to the secretive forums on the Dark Web,” say the Check Point security team.
Telegram groups are known as channels. It is these channels that are increasingly used by criminals. “Any threat actor with a shady offer or conversation to start, can enjoy private and end-to-end encrypted chats instead of the exposed threads that are seen in online forums.” The advantages are obvious. They are easier to operate, easier to join, and offer even greater anonymity.
Check Point gives three examples of how Telegram is used. Three channels were found in Russia known as Dark Job, Dark Work and Black Markets. Dark Jobs recruits staff for illegal jobs. The jobs are graded white (for little danger), grey (for greater illegality and difficulty), and black (for dangerous with legal risks). Anyone with the Telegram app can join this channel and can both post advertisements and apply for jobs with complete anonymity. The same principle applies to other channels, and some already have thousands of subscribers.
The simplicity of this criminal method is particularly worrying.
“This is especially worrying,” say the researchers, “considering the accessibility of the channels and the promises of high salaries made to those who might otherwise refrain or have no way to reach these markets.” In other words, the migration of criminals to Telegram might easily increase the general level of criminality in society.
One area that particularly worries Check Point is the promotion of insider deals. It is easy to imagine a channel called ‘Insiders’. This could attract any authorized employee with a grudge or need for additional finances to sell inside access to corporate networks anonymously via Telegram.
“Threat actors might take advantage of these employees in order to obtain insider information and sensitive data that is unavailable to the public,” warn the researchers. “This inside information could then be used for personal purposes or sold, or to conduct a cyber-attack from the inside of the company. This would thus eliminate the efficiency of some security solutions. After all, having someone “on the inside” is a very powerful tool. Just like in the real world, in the world of cybercrime it can often be not what you know but who you know.”
This is already happening on the Dark Job channel. One advertisement is looking for employees of Western Union or MoneyGram that have access to certain systems — and offering payment of $1000 per day.
The Dark Work channel seems to be more geared towards criminal projects than employments. One example reads, “Wanted for a dark project: Cryptor running on all systems from Windows XP to 10. Bypassing the top AV especially Avast and Defender.” The concern here is that a criminal entrepreneur could outsource an entire project without needing to know anything about technology, nor even his suppliers.
The Dark Market is simply that — a marketplace for shady goods. Novice users, say the researchers, can find “messages promoting stealthy crypto-miners that will run without the victims’ knowledge in exchange for 600 rubles, or even infostealers that collect documents, screenshots and passwords in exchange for 1000 rubles.” This makes the Telegram channels very similar to the dark web marketplaces (such as the old Silk Road), but easier and more secure to use.
Government recognition of the increasing criminal use of Telegram is likely behind both the recent national bans, and the western demands for law enforcement encryption backdoors. In March, Russia’s Supreme Court ordered that Telegram must provide decryption keys to the country’s security services — which Telegram declined. In mid-April, Russia began blocking Telegram.
Iran also banned Telegram on April 30, 2018, but is so far having little success. As of May 7, Iran’s state-owned Telecommunications Infrastructure Company (TIC), which operates under President Hassan Rouhani’s Telecommunications Ministry, has yet to comply with a prosecutor’s order to block the Telegram messaging app. Radio Farda, a Persian language broadcaster at Radio Free Europe/Radio Liberty, reported today that many Iranians will use filtering software to avoid the ban. Of 9,485 respondents to a question, 9,024 replied they would “stay on Telegram using filtering circumvention software”. (This is not a scientific study and is biased towards Iranian citizens already listening to a foreign broadcaster.)
In western democracies, the growing use of Telegram amply illustrates law enforcement’s concern that criminals are going dark; and that law enforcement requires encryption backdoors to counter the threat. “Through the use of such tools, access to malware has never been easier, personal documents and certificates can be spread to unknown destinations and companies can be threatened by their own employees,” concludes Check Point.