This is a set of scripts and protocols to conduct active defense and offensive countermeasures activities against scammers/phishers who use Telegram chats/channels as part of phishing kits, to store the victim's stolen data.
telegram-hitbackscammer.py is a practical application of Annoyance, Attribution and Attack core concepts of active defense and offensive countermeausures to screw up threat actor activities, which can help with combating data theft, financial fraud prevention, impersonation, saving people's data, and contributing to a world free of phishing :)
Want more information around these concepts? Take a look of this:
- https://icdt.osu.edu/offensive-countermeasures-art-active-defense
- https://en.wikipedia.org/wiki/Active_defense
- https://www.sans.org/white-papers/36240/
- https://www.slideshare.net/JaimeAndrsBelloVieda/una-mirada-a-la-active-defense-harbinger-distribution-como-herramienta-de-monitoreo-y-defensa-activa-ante-ataques
The goal of this development is to help security researchers, threat hunters, incident responders, individuals and even the affected companies with the provision of a protocol to be more proactive in terms of defending against phishing attacks where Telegram is used to store the stolen data.
Attackers on the wild are using Telegram as infrastructure to store the data once a victim fall into the trap. The options vary between public/private channels and private chats.
Default mode - Running telegram-hitbackscamer.py
If you don't know whether the channel found on the phishing kit is public or private, use this option to check it.
More info about the Telegram chats/channels: https://telegram.org/faq_channels
Get a list of scammer channel`s administrators, then you may see who is the owner of the channel and make a threat attribution, i.e. identify the responsible scammer/phisher.
Selecting this option, you can read and delete the messages received during the last 48 hours on public scammer channel. Be sure to input a public channel name once the program asks to avoid errors.
Selecting this option, you can read and delete the messages received during the last 48 hours on private scammer channel. Be sure to input a private channel name once the program asks to avoid errors.
This is an interesting option if you want to annoy the scammer!
This option has the power to delete immediately any message the scammer bot writes in any chat/channel associated with the malicious bot-token found on the phishing kit, if the attacker has more phishing campaings with other chats/channels created.
Once you select this option, you will see the message Ok, Listening mode for bot, and every time a victim processes the data on a phishing website associated with the bot-token value, you will see a notification on the shell/screen that the message was deleted. The scammer will be fucked up and unable to see what the bot tried to post in the chat/channel.
This will disconnect/make a bot used by a scammer/phisher leave the channel. This is a way to avoid further bot's posting on the channel without your actions being noticed. This option has 2 disadvantages though:
- The scammer/phisher would not be notified about this action, but once he/she checks the list of administrators, he/she would realize what happened. It's up to them to add again the bot or not to the channel.
- And the most important disadvantage:
Once you leave a channel, you won't be able to do anything else there. So this should be your last option.
Just to finish the program.
- Download / clone the repo
- Install required packages:
pip3 install -r requirements.txt
orpip install -r requirements.txt
- Get the Telegram API keys (api_id and api_hash) following the instructions here https://core.telegram.org/api/obtaining_api_id
- Set the API keys in your config.ini file
- You're ready to go :) simply run the main script
python3 .\telegram-hitbackscammer.py
for Linux orpython .\telegram-hitbackscammer.py
if you are using a Windows environment - The first time, you would be asked for a kind of login, input your mobile number including the + (i.e. +57300...), then you would be asked for the bot-token (i.e. 4509046619:LMnjdorkaLUIiJldlp302lJDLmciOlLjJsi), found on the phishing kit. This is to create a .session files to interact with the Telegram API
The core of telegram-hitbackscammer are the chats/channels and Telegram bot-tokens. Below you can see some examples taken from real phishing cases:
Public channel:
//bot token
var telegram_bot_id = "4509046619:LMnjdorkaLUIiJldlp302lJDLmciOlLjJsi";
//chat id
var chat_id ="@diner0facilk";
Private chat/channel:
//bot token
var telegram_bot_id = "5919290478:AAKiogpUidLGIMdImjI3V38roCOldLjsiOP";
//chat id
var chat_id ="5616310229";
So the bot token and chat id values without the quotes "" are the ones you need to have fun }:-)
- Python 3.7 or higher
- Internet Connection (You are going to be interacting with Telegram's servers)
Nope, the attackers won't have any information about you. Despite your possible actions on the attacker's chat/channel, remember we are using their own bot and, on the other hand, the communication takes place between the bot and Telegram through the API.
Because it is working according to the current policy and limitations of Telegram Bot Api https://core.telegram.org/bots/api#deletemessage
Yes you can, but I kindly recommend you to use the main one with the menu, though it's up to you :)
Twitter: @avechuch0