Phishers migrate to Telegram

Pierluigi Paganini April 06, 2023

Experts warn that Telegram is becoming a privileged platform for phishers that use it to automate their activities and for providing various services.

Kaspersky researchers have published an analysis of phishers’ Telegram channels used to promote their services and products.

The experts pointed out that crooks engaged in phishing activities have started to rely on the popular instant messaging platform more in recent months.

On Telegram is possible to find channels that offer:

Free phishing kits that can be used to target users of a large number of global and local brands. Phishers also use to share stolen personal data with their subscribers. The free phishing material is offered as bait of sorts for less experienced phishers to bite and to recruiting an unpaid workforce.

  • One reason is that any free content or manuals so willingly distributed by scammers to their Telegram audience serve as bait of sorts for less experienced phishers to bite. Newbies get a taste of what phishing tools can do, pull off their first scam and wish for more, which is when they will be offered paid content. The creators of phishing bots and kits can get access to data that is gathered with their tools.

“To attract larger audiences, scam operators advertise their services, promising to teach others how to phish for serious cash.” reads the post published by Kaspersky.

Contents of a free phishing kit archive

  • Paid phishing pages and data, as well as phishing-as-a-service (PhaaS) subscriptions. Crooks use Telegram channel to offer paid phishing content and data. They also provide phishing-as-a-service (PhaaS) subscriptions that give their customers access to phishing tools, as well as guides for beginners and technical support.

“Malicious actors offer “premium” phishing and scam pages for sale. Unlike the primitive copies of popular websites, these offers include pages built from scratch with a range of advanced capabilities or tools for generating such pages.” continues the report. “For instance, a “premium” page may include elements of social engineering, such as an appealing design, promises of large earnings, an anti-detection system and so on.”

The cost of phishing pages goes from $10 per copy up to $50 for an archive containing several pages. A package containing features such as 3-D Secure support and support for configuring a phishing website, may cost up to $300.


  • User personal data for sale. Crooks offers data collected through phishing campaign to the subscribers. Data includes verified online banking credentials, in some cases phishers also provides info on the account balances.

“The higher the balance, the more money scammers will typically charge for the credentials.” continues the analysis. “For example, the same Telegram channel offered the credentials for a bank account with $1,400 in it for $110, whereas access to an account with a balance of $49,000 was put up for $700.”

  • Phishing-as-a-Service. Telegram channels are used to sell a range of subscriptions, with can also include customer support. Phishers provides updates on a regular basis for the phishing tools, anti-detection systems and links generated by the phishing kits.
  • One-time password (OTP) bots. These bots allows phishers to bypass 2FA (two-factor authentication) protections automatically. The experts observed that a subscription for this kind of service goes for$130/week, or $500/month for custom deployments.

In the last six months, Kaspersky has detected 2.5 million malicious URLs generated with phishing kits. The cyber security firm reported that it has prevented 7.1 million attempts by users to access these malicious sites within the same period.

“Wannabe phishers used to need to find a way onto the dark web, study the forums there and do other things to get started.” concludes the report. “The threshold to joining the phisher community lowered once malicious actors migrated to Telegram and now share insights and knowledge, often for free, right there in the popular messaging service.”

Please vote for Security Affairs ( as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here:

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Phishing)

you might also like

leave a comment