Encrypted chat apps have been instrumental in subverting authoritarian regimes. However, because of their private nature, cybercriminals exploit them to sell illegal goods.
Researchers from the cybersecurity company NortonLifeLock found a wide range of illegal goods being sold on chat apps, such as Telegram, Signal, and Whatsapp. Goods included personally identifiable information, likely stolen gift cards, fake documents, and tools to facilitate cybercrime, such as distributed denial-of-service (DDoS) infrastructure.
Researchers have not contacted the apps that they analyzed as it is not a vulnerability per se, and various communications channels are used by criminals. It has been widely reported that encrypted chat apps are used to recruit cybercriminals or even to distribute malware into organizations.
Encrypted chat apps, such as Telegram, Signal, and Whatsapp, have been instrumental in dismantling authoritarian regimes and organizing uprisings. Hongkongers switched to more private means of communication once China imposed a new National Security Law in Hong Kong. Belarusians embraced VPNs and Telegram when Alexander Lukashenko shut down the internet following mounting doubts about the fairness of the election and pressure to step down. Encrypted chat apps have also been used by pro-democracy dissidents to communicate amongst themselves in Russia, Thailand, and Iran.
“However, we’ve found that encrypted chat apps are also being used by criminals to sell illegal goods. Because content moderation is, by design, nearly impossible on these apps, they allow for an easy vector for dealers of illicit goods to communicate directly to customers without fear of law enforcement involvement. One example of this is Telegram, which provides especially strong anonymity protections, which are useful for dissidents, but can also be leveraged by criminals attempting to obscure their identities,” the researchers stated.
The fact that communications are encrypted makes it difficult for law enforcement to take action in stopping illicit activity.
“It depends on the encrypted chat app in question. Telegram is often used by protestors and journalists in locations where voicing dissent can be dangerous. Therefore, if bad actors have taken steps to protect their identity, it might be difficult for law enforcement to track them down. However, in this case, law enforcement can take physical-world steps, such as tracking packages back to their destinations. I imagine it would be simpler than going after online-only criminals,” Daniel Kats, Senior Principal Researcher at NortonLifeLock, told CyberNews.
Criminals exploit encrypted chat apps because of a mix between functionality and privacy. Telegram is a very full-featured chat client that is, in and of itself, close to a social network conceptually similar to Twitter.
“In addition, there are often strong privacy guarantees that are associated with encrypted chat apps. On Telegram, in particular, you can set up an account, so the phone number used to register the account is not visible,” he added.
Here’s what researchers were able to find.
From counterfeit products to COVID vaccines and DDoS tools
Counterfeit goods are a popular product on Telegram. Researchers found many accounts and groups dedicated to selling a wide variety of counterfeit goods, including luxury watches and purses, designer clothes, and high-end electronics. For example, you can find a counterfeit Rolex for as little as $69.
In recent months, with people anxious to receive a COVID-19 vaccine, criminals have attempted to take advantage of this stress by selling what they claim are COVID-19 vaccines.
Cybercriminals often launder ill-gotten gains such as stolen credit cards through the purchase and sale of gift cards. Other times, gift cards are stolen directly through either a password leak or via vulnerabilities in the gift card provider’s website. Those gift cards are then sold at heavily discounted prices.
Another popular genre of illicit goods on Telegram is fake documents and personal information. Fueled by major data breaches, data brokers have amassed a shocking amount of personal information, including social security numbers, addresses, phone numbers, bank account numbers, and more.
Researchers observed that cybercriminals are also selling various tools and services, including the rental of DDoS infrastructure. They also found accounts marketing cheats for games and services marketing themselves for users in India, Europe, Russia, the Arab world, and North America.
Some accounts even strategically market their items for sale to coincide with newsworthy events. Researchers found a vendor offering hacked GameStop accounts around the time that GameStop stock’s growth drew worldwide attention.
“Scammers, fraudsters, and hucksters of illegal goods are usually ahead of the curve on the latest technologies to provide a good experience for their customers. Therefore, we often see these actors as early adopters of popular technologies (cybercriminals were also among the first to adopt cryptocurrencies such as Bitcoin and Ethereum, which are now widely used by the general public for entirely legal purposes). This case is no different, and our research suggests that in the future, legitimate merchants may also adopt messaging apps and the peer-to-peer selling model they allow, similar to Telegram’s,” the researchers stated.