According to BankInfoSecurity, hackers are using simple Base64 encoding strings in conjunction with a bot that is sweeping up the payment card information, while including a code that accesses Telegram to remove the payment card data. Therefore, Base64 enables the payment card data to be taken without security tools picking up the theft. Although other cybercriminals have previously used Telegram to distribute malware and steal data, the first time when fraud was detected on this channel was in August 2020 by security researcher AffableKraut.
Moreover, in the majority of skimming attacks, the payment card data is stored within a domain or file controlled by the attackers and then exfiltrated using a command-and-control infrastructure that communicates with a JavaScript code. However, the attacks leveraging Telegram use encryption in conjunction with a Telegram channel to create a faster and more efficient exfiltration process.
Consequently, when the shopper enters his payment information on an ecommerce site, that information is transferred to a payment processor, as usual, but a copy is also sent to the fraudsters. By using Telegram, hackers can quickly collect the payment card data and use it to purchase goods or sell it on underground forums, method which helps fraudsters to avoid detection.
Furthermore, it was stated that blocking this type of attack is difficult because even if ecommerce companies cut access to Telegram channels on the network level, the cybercriminals are still enabled to switch to another type of secure platform to help with the skimming, BankInfoSecurity reported.
