Criminal Hackers related to the Magecart collective are now using Telegram as a channel for sending stolen credit-card information back to its command-and-control (C2) servers.
The e-commerce card-skimming trojan has been caught using the popular messaging app to exfiltrate data with the benefit of blending everything with normal traffic, making it harder to detect.
Recent campaigns have shown data like name, address, credit-card number, expiry and CVV being relayed via an instant message sent to a private Telegram channel.
As Jérôme Segura at Malwarebytes said: “Telegram is a popular and legitimate instant messaging service that provides end-to-end encryption, [and] a number of cybercriminals abuse it for their daily communications but also for automated tasks found in malware”.
Attackers have used Telegram to exfiltrate data before, though the mechanism remains a rarity. Last September, a freshly discovered commercial spyware dubbed the “Masad Clipper and Stealer” was found using Telegram bots as its C2 mechanism. Masad harvests information from Windows and Android users and also comes with a full cadre of other malicious capabilities, including the ability to steal cryptocurrency from victims’ wallets.
This news comes after a number of different researchers reported a marked uptick in the number of shopping and e-commerce sites being attacked by groups just like Magecart. Their preferred method? Either vulnerability expoit or simple stolen credentials from the admins.
Then its business as always for the attackers who then proceed to injected a web skimmer, which exfiltrates personal and banking information entered by customers during the online checkout process.
Seems like there’s no rest for the wicked…