Cybercriminals are using bots deployed in popular messaging apps Discord and Telegram to steal credentials, new research has revealed. Users of gaming platforms Roblox and Minecraft are also being targeted in similar attacks, according to a report from security vendor Intel471.
The gangs are using info-stealing tools – trojan malware designed to swipe information from systems – which they attach to legitimate bots in the apps to lift credentials such as autofill data, bookmarks, browser cookies, card information and passwords, the report says.
Bots are used on Telegram and Discord to allow users to share media, play games and moderate channels for undesirable content. But they can also be used to deliver malware.
The Intel471 team found that one information-stealing trojan, known as X-files, can download information stored in multiple browsers by accessing bot commands inside Telegram. On Discord, the app’s ‘webhooks’ feature that implements automated messaging and updates has been co-opted by an info stealer called Blitzed Grabber to store stolen data.
The cloud infrastructure used by these apps is also being targeted. “Many threat actors currently use Discord’s content delivery network (CDN) to host malware payloads,” the report says. “Malware operators seemingly do not face any restrictions when uploading their malicious payloads to the Discord CDN for file hosting. The links are open to any users without authentication.”
The design of these apps makes them easy for criminals to access says Chris Hauk, consumer privacy advocate at Pixel Privacy. “Many messaging platforms were not built for organisational use, and were instead created for general usage,” Hauk says. “They often have APIs that allow anyone to implement malware, as they do not require any authorisation to write code to run on the platforms.”
Discord and Telegram malware attacks are common
As the popularity of these messaging platforms increases, they become a more attractive target for hackers. Discord currently has 150 million active users compared to 100 million in 2020, while Telegram claims to gave 700 million active users, up from 400 million two years ago.
Attacks are ticking up too. In 2021 security company Check Point detected a 140% year-on-year increase in the amount of malware on Discord servers. The company had also discovered 9,500 unique URLs hosting malware on Discord’s CDN.
Last year it was revealed an entire scam has been automated on Telegram to steal money and payment data. Known as “Classicscam”, Telegram bots were used to provide criminals with ready-to-use pages mimicking popular classifieds, marketplaces and sometimes delivery services. Security vendor Group-IB discovered “at least 40 groups leveraging ‘Classicscam’ with each of them running a separate Telegram chat-bot”. Group-IB estimated that the gangs were making $522,000 per month from the scheme.
How should businesses approach Discord and Telegram?
Discord is increasingly used by businesses, with several productivity platforms including Slack, Trello and Microsoft Teams offering integration options. This could give an info stealer access to company data.
On Telegram, bots are commonly used to conduct business. They can be deployed as an alternative to mobile apps because they are easier to develop and don’t require users to install additional apps or software. These bots can take over communications with customers and even place orders with payment.
Etay Maor, senior director of security strategy at Cato Networks, says: “We’ve seen a significant increase in the usage of consumer applications, such as Discord, on enterprise networks. The number of Telegram flows on enterprise networks more than tripled in the first quarter of 2022, and TikTok flows increased by 10%.”
Tech leaders must insist on “full visibility into their entire network”, Maor says, if they are “to identify the applications being run in the organisation.” Only then “can they accurately understand their risk,” he adds.
Even if companies do not use these apps to conduct business, employees using them on their own devices could be just as dangerous, adds Hauk. “While companies can outlaw and block the use of these messaging services by employees during company hours, this does not prevent employees from using the messaging services on their own time,” he says. “Organisations should survey employees to find out how they use these messaging apps, then consider whether or not the messaging apps can be used reasonably safely.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.