In our talk, we will reveal how we leveraged sophisticated Yara rules to capture Telegram channels, groups, and even bots on the Internet. But that's not all, we’ll show the audience how we built an automated fraud hunting tool, which, upon the insertion of a Telegram API key will detect whether it’s a bot, channel or group and accordingly will reveal their dark secrets such as C&C servers, Black Markets, and Women Abuse. We will reveal the awful truth about how adversaries abusing legitimate apps such as Telegram in order to disguise their cybercrime activities from the authorities.
The Telegram messaging app has experienced significant growth, adding hundreds of thousands of new users daily. Fraudsters mainly utilized Telegram groups and channels to organize their communities. This is where fraudsters advertise, connect and share knowledge and compromised information, much like the role forums play on the dark web. Channels, on the other hand, are groups in which only the administrator is authorized to post and regular members have access to view, similar to blogs. Telegram even allows creating multi-functional bots, which are unique Telegram accounts that do not require a phone number to set up. These bots can perform harmless tasks like creating cat memes on demand, accepting payments, act as a digital storefront but could also be leveraged to perform malicious functions. Due to Telegram’s rich feature set and rapid adoption, Telegram has become a sought after tool on the fraud scene.
7. Cybercrime Is Not Just for Hackers
● No need to be hacker or coder
● Darknet markets TOR links can be found on Google
● A difficult place to navigate
● Having trouble getting to the more evil sites
15. Using Telegram for Cybercrime
● Launched in 2013
● 200m active users monthly
● Pride for its enhanced security capabilities
● Private end-to-end encrypted chats
16. Using Telegram for Cybercrime
● Groups with up to 30k members
● Channels of unlimited subscribers
● Share files of nearly any type
17. Using Telegram for Cybercrime
● Anyone can enjoy an encrypted chat
● No early steps required to hide the identity
● Receiving shady offers with a single tap
19. Telegram Bots
● Allowing third-party apps to run
● Rich set of features and quick adoption
Legitimate uses: Automatic file converters, daily weather...
20. Cybercriminals Next Step
● Automate Cyber Crime and remain invisible
● No need to register a host and domain
● DDoS style attacks become irrelevant
21. Using Telegram Bots Eliminates
● The need to protect and hide their websites
● The fear of monitoring by law enforcement
49. Create Yara
rules to hunt for
Telegram web
pages, links and
exposed APIs
STEP ONE STEP TWO STEP THREE STEP FOUR
The Steps
Scan the
internet with
my Yara rules
Output list of
Telegram
usernames and
APIs
Using Telethon
to divide
usernames to
groups,
channels, bots
and users
50. Telegram API Limit
● 24 hours block after 200 API requests
● Meaning scanning only 200 Telegram accounts daily