Into the world of Phishing-as-a-Service Providers operating on Telegram targeting Australia

Welcome to the fascinating world of phishing as a service (PaaS) provider ecosystem in Australia, where cybercriminals have turned their malicious activities into a profitable business.

In our ever-expanding digital frontier, cybersecurity threats are sprouting like dandelions in springtime. Phishing attacks – the cyber equivalent of throwing a line and hook into a crowded pool and seeing who bites – have become particularly fashionable. Down under in Australia, a country known more for its kangaroos and surfing beaches than cybercrime, is surprisingly not exempt from these fishy affairs. Here, in the land of Vegemite and Kylie Minogue, a flourishing PaaS industry – that’s Phishing-as-a-Service, not Platypus-as-a-Swimming buddy – has bloomed. This shady underworld is filled with cyber mobsters, selling their services to fellow hoodlums, making it as easy as pie (or should we say, meat pie) to carry out high-tech phishing expeditions.

This blog will cover fraudsters lurking on Telegram fueling the cybercrime ecosystem.

The Rise of Phishing as a Service in Australia

The rise of phishing as a service in Australia can be attributed to the increasing demand for stolen personal and financial information in the cybercriminal underground. With advancements in technology and the widespread availability of hacking tools, cybercriminals are constantly seeking new ways to exploit vulnerabilities and maximize their profits. Phishing as a service has emerged as an attractive option for both experienced and novice cybercriminals, as it offers a cost-effective and efficient method to carry out successful attacks.

The PaaS industry in Australia has witnessed significant growth in recent years, with an increasing number of cybercriminals turning to these services to carry out their malicious activities. The ease of access to PaaS providers, coupled with the low barrier to entry, has contributed to the proliferation of phishing attacks in the country. The availability of ready-made phishing templates, customised attack strategies, and customer support has made it easier than ever for cybercriminals to launch sophisticated campaigns, targeting individuals and organisations alike. The impact of phishing as a service on businesses and individuals in Australia is significant.

By the numbers

Following are taken from Scamwatch showing the impact phishing had since January 2023

• Amount Lost – $17,282,922
• Number of Reports – 53,718
• Reports with financial losses – 2.6%

Reference : https://www.scamwatch.gov.au/research-and-resources/scam-statistics?scamid=31&date=2023

The role that Telegram channels plays in the ecosystems

For security considerations and to avoid causing unnecessary concern, I will refrain from disclosing the names of specific channels. At present, I am tracking activities across six channels, reduced from the initial nine or so.

These channels largely involve both domestic and international actors, particularly from the UK, who are seeking mule or drop accounts. They are engaged in activities like selling Australian IDs, offering unauthorised access to customer bank accounts, providing SMS testing, and operating gateway services. Some even offer phishing panels. The following images are captured from these Telegram channels that are currently under surveillance, where the tools and services are being advertised.

The provided screenshots demonstrate that, regardless of an actor’s level of expertise, entering the phishing game is quite straightforward, particularly when there’s a financial incentive involved.

Strategies to Protect Against Phishing Attacks

Here are some recommendations to help the readers protect themselves against SMS phishing:

1. Never Click Suspicious Links: SMS phishing often includes a link that, when clicked, leads to a fake site designed to collect your personal information. These links may also contain malware. If you receive a text from an unknown source or even from a known source but with a strange message, don’t click on any included links.
2. Don’t Share Personal Information: No legitimate business or organization will ask for your sensitive information through a text message. Don’t provide your social security number, bank account details, or credit card numbers to anyone who requests this information via text.
3. Verify the Sender: If a message seems to be from a known organization or business but seems suspicious, contact the organization directly using a verified number or email address to verify the message.
4. Don’t Download Attachments: Similar to suspicious links, attachments in suspicious text messages may contain malware. If you receive an unexpected or suspicious text message with an attachment, do not download it.
5. Use Security Software: If available for your device, use security software to help protect against malware and other threats. Ensure that your software is kept up-to-date.
6. Report Suspicious Texts: In many regions, you can report phishing texts to your service provider or a local authority or your bank. This can help to stop the spread of these scams.
7. Educate Yourself: Keep yourself informed about the latest phishing techniques. Many attackers continuously refine their methods, so staying informed can help you to identify suspicious messages.
8. Enable Two-Factor Authentication: For any online accounts, especially those that contain sensitive information, enable two-factor authentication. This adds an extra layer of security, making it harder for phishers to access your accounts even if they do manage to deceive you.
9. Regularly Monitor Your Accounts: Regularly review your bank, credit card, and other financial accounts for any unusual activity. If you find any suspicious transactions, report them to your bank immediately.
10. Be Cautious of Messages That Generate a Sense of Urgency: Many phishing attacks try to scare the recipient into acting quickly without thinking. If a message makes you feel rushed, pause and take the time to think through the situation.

Additionally, it’s worth highlighting the commendable action recently taken by the National Australia Bank (NAB). In a noteworthy move towards enhancing security, they’ve decided to eliminate all hyperlinks, often referred to as Call To Action, from their customer communications.

Remember, the key to avoiding phishing scams is skepticism and caution. If something feels off, it probably is.

Strategies for banks to implement or consider

Banks and financial institutions are prime targets for phishing and fraud. Here are some recommendations for banks to help them combat these threats:

1. Implement Multi-Factor Authentication (MFA): MFA provides an additional layer of security by requiring users to prove their identity in two or more ways before accessing their accounts.
2. Educate Customers: Banks should regularly educate their customers about the latest phishing and fraud techniques. This education could be in the form of emails, website articles, or even in-person seminars. The more aware customers are, the less likely they are to fall victim to these scams.
3. Email and SMS Security: Banks should ensure they use secure methods for email and SMS communication, such as DKIM, SPF, and DMARC for emails, and similar standards for SMS. These help to prevent spoofing, where fraudsters pretend to be the bank.
4. Use AI and Machine Learning: Advanced technologies can be used to detect and prevent fraudulent activities. Machine learning algorithms can analyze patterns of behavior to identify suspicious activities.
5. Regularly Monitor and Audit Transactions: Regular monitoring can help to detect any unusual activities. If any suspicious transactions are identified, they should be investigated immediately.
6. Secure Website: Banks should always use HTTPS for their websites and any associated online platforms. This helps to ensure that the communication between the customer’s device and the bank’s servers is encrypted.
7. Implement Biometric Verification: Biometric verification, such as fingerprint scanning or facial recognition, provides an additional layer of security that is difficult for fraudsters to bypass.
8. Regularly Update Security Systems: Security systems should be updated regularly to protect against the latest threats. This includes not just the bank’s main systems, but also any customer-facing applications or websites.
9. Employ Threat Intelligence Services: Banks can employ threat intelligence services to get information about the latest threats and potential vulnerabilities. These services can help banks to proactively protect themselves.
10. Fraud Detection Teams: Having a dedicated team to handle fraud detection and prevention can be beneficial. This team would be responsible for keeping up to date with the latest threats, and for responding quickly when a potential threat is detected.

It’s important to remember that no system is completely secure. Therefore, a combination of these methods, alongside a robust contingency plan in case a breach does occur, is the most effective way for banks to protect themselves and their customers.