The use of Telegram bots as exfiltration destinations for phished information increased by 800% between 2021 and 2022.
The new data comes from security researchers at Cofense, who published a report about them on Wednesday.
According to the findings, this growth is mainly associated with the increasingly popular tactic of using HTML attachments as a delivery method when phishing credentials.
"While Telegram bots being used by threat actors to exfiltrate information is not new, it has not been commonly known for its use in credential phishing," reads the Cofense report.
"Telegram bots have become a popular choice for threat actors since they are a low-cost/free, single-pane-of-glass solution."
In other words, by merging the ease of Telegram bot setup and the tactic of attaching HTML credential phishing files to an email, a threat actor can easily reach inboxes while simultaneously exfiltrating credentials using a generally trusted service.
"Bots are unpredictable and can sometimes over-deliver. However, cyber-criminals are looking for new ways to automate attacks outside of email. I think this is the start of a trend that will become more sophisticated over time," said SlashNext CEO Patrick Harr.
"Organizations need to implement multi-channel security to ensure users are protected against credential stealing, BEC [business email compromise] and attachments across mobile and web messaging apps, including WhatsApp and Telegram."
Patrick Tiquet, vice president of security & architecture at Keeper Security, echoed Harr's point, saying organizations should take the same measures to protect against phishing bots as they would to prevent any other type of phishing attack, including education and using a password manager.
"It's human nature to believe what we see, which is why aesthetics and user interface often trick users into clicking on a malicious, incorrect URL," the executive told Infosecurity.
"The key is to ensure the URL matches the authentic website. When a password manager is used, it automatically identifies when a site's URL doesn't match what's in the user's vault. This is a critical tool for preventing the most common attacks, including phishing scams."
Bots were also at the center of account takeovers (ATOs), distributed denial of service (DDoS) attacks and card fraud attempts during the 2022 winter holiday season.