Researchers from Malwarebytes reported that Magecart groups are using the encrypted messaging service Telegram to exfiltrate stolen payment details from compromised websites.
Attackers encrypt payment data to make identification more difficult before transferring it via Telegram’s API into a chat channel.
“For threat actors, this data exfiltration mechanism is efficient and doesn’t require them to keep up infrastructure that could be taken down or blocked by defenders,” explained Jérôme Segura of Malwarebytes. “They can even receive a notification in real time for each new victim, helping them quickly monetize the stolen cards in underground markets.”
