Illicit Telegram channels have become a growing concern in the realm of cybercrime.
Threat actors want to connect with each other in fast, reliable, and “anonymous” ways. Telegram has been their answer, and malicious actors are increasingly moving off of Tor and onto the instant messaging platform.
Flare Director of Marketing Eric Clay and CTO & Co-Founder Mathieu Lavoie talked about the realm of unauthorized Telegram channels, along with the diverse methods cybercriminals employ to conduct their nefarious activities.
Check out our full webinar recording, The New Dark Web?: Illicit Channels and their Impact on Cybersecurity, and/or keep reading for the highlights.
Relationship Between Telegram and the Dark Web
Traditional dark web marketplaces found on Tor serve as a (partially) trusted middleman between vendors and buyers with built-in escrow services. On the other hand, Telegram has thousands of individual channels, which are “direct to consumer” and vendors sell stolen credit cards, combolists, leaked credentials, and infected devices directly to other cybercriminals. In this model reputation is everything.
Compared to marketplaces on the traditional dark web, Telegram channels often specialize in selling specific classes of illicit goods such as combolists, configurations, and malware.
In addition, the channels serve as a backup method for communication that can sometimes be more reliable than traditional forums or discussion services. For example, law enforcement recently arrested the leader of Breach Forums and shut down the website. Telegram served as a backup channel for communication for Breach Forum moderators, as they assured users that they would continue operations.
Telegram and the dark web are closely intertwined, and the instant messaging platform supports gaps in dark web activities.
Telegram’s Role in Spreading MaaS
Telegram offers many functionalities and includes a fully functional API, allowing for bots and other more complex use-cases which can create automation capabilities not present on traditional Tor marketplaces. This enables threat actors to seamlessly sell subscriptions to channels, automatically deliver purchased data, and even leverage Telegram channels as command and control infrastructure for malware.
These functionalities make Telegram the preferred choice for many (if not most threat actors). High degrees of automation, lax moderation, and end to end encryption create the perfect environment for a vast underground economy.
Telegram Monitoring Best Practices
1. In-house Telegram coverage to supplement vendors’ monitoring:
Even if organizations are working with CTI vendors, security teams should invest the time to help the vendor optimize coverage based on their specific use-cases and risks. For example, there may be very small but highly relevant channels that are likely not in the vendor’s initial collection but may be directly relevant to the customer based on the type of data being sold, threat actors posting there, or other factors.
With the sheer volume of Telegram channels, manual monitoring is impossible for full coverage of all relevant channels. We recommend that companies find a vendor they are comfortable with that takes a unified approach to monitoring both illicit Telegram and traditional Tor marketplaces. Threat actors operate across thousands of channels and often create new channels, change their names, and merge channels, making manual approaches to monitoring prone to high miss-rates.
3. Eliminating noise:
Another advantage of working with a vendor is that they will likely de-duplicate identical posts and images, allowing security teams to focus on the most relevant data while not getting bogged down in noise.
How Flare Can Help
Flare monitors illicit Telegram channels, (and the clear & dark web) for high-risk data exposure. We have teams dedicated to automating collection, structuring, deduplication, and analysis of data found in Telegram channels to provide high-impact relevant results to our customers.
Curious about how Flare can help your organization stay on top of Telegram coverage?
Request a demo to see Flare’s Telegram monitoring for yourself.