Keypoints
- Telegram channels and bots openly sell phishing pages (scampages), kits, and generators with prices ranging from ~$10 for basic pages to $100–$800+ for advanced 2FA/OTP bypass and real-time hijacking.
- Attackers obtain hosting via bulletproof hosts, compromised legitimate sites (web shells), or offline scampage attachments; web shells on WordPress are commonly sold and used to host scams.
- Mass propagation uses hacked SMTP credentials, backdoor mailers installed on compromised sites (e.g., webmail interfaces), or pre-owned mass-mailing service accounts (SendGrid/Amazon SES) to send tens to hundreds of thousands of emails.
- Scammers use professionally styled HTML “Letters” to evade spam filters and increase click-throughs; these often include analytics, content randomization, and stealth techniques (invisible characters, images instead of text).
- Target lists (“leads”) are sold on Telegram—ranging from generic email lists to highly targeted customer lists (e.g., 100,000 Bank of America customers)—and substantially increase campaign ROI.
- Collected credentials (logs) are monetized directly or sold to larger criminal operators; the article models a $230 investment turning into a multiple-fold return using modest success rates.
- The underground marketplace functions like an industry: reputations, free samples, trial versions, and seller support lower the barrier for novices to run effective phishing campaigns.
MITRE Techniques
- [T1566.002] Spearphishing Link – Used to send mass emails directing victims to fraudulent login pages (‘we can dispatch nearly 100,000 emails’ / ‘The phishing web page (“scam page”) as shown above’).
- [T1190] Exploit Public-Facing Application – Attackers compromise WordPress and other public sites to install web shells and upload scampages (‘web shells are commonly found on compromised WordPress sites, getting there by exploiting known vulnerabilities’).
- [T1505.003] Web Shell – Employed to maintain access and host phishing content on legitimate domains (‘These scripts enable attackers to upload malicious files and scampages to the compromised server’).
- [T1078] Valid Accounts – Stolen or hacked SMTP credentials and pre-owned mass-mailing accounts are used to send large volumes of convincing emails (‘Hacked SMTP Credentials … are available for purchase’ / ‘Pre-owned Send-Grind and Amazon SES mail accounts for sale’).
- [T1583] Acquire Infrastructure – Purchase or rent of bulletproof hosting, domains, and pre-warmed mass-mailer accounts to host and distribute campaigns (‘Bulletproof hosting … combos of bulletproof hosting solutions including domain names are constantly sold and re-sold on the market’).
Indicators of Compromise
- [Domain] example compromised mailer host – www.youritsolutions.it (illustrative backdoor mailer path: /hacked_mail_interface.php)
- [Email address] sender address used in mailer context – [email protected] (example showing use of legitimate-looking sender domains)
- [Filename / Path] web shell / mailer script names – hacked_mail_interface.php, backdoor mailer interfaces on compromised WordPress sites
- [Tool / Software] mailer and kit names used in campaigns – Leaf PHPMailer (mailer interface commonly injected into compromised sites)
- [URL] original research source – medium.com/@guardiosecurity/scammers-paradise-exploring-telegrams-dark-markets-breeding-ground-for-modern-phishing-a2225e51898e?source=rss-6a038e71ff0f——2
To reconstruct the technical attack chain: attackers obtain or buy a ready-made scampage tailored to a target brand (prices typically $10+ for basic, $100–$800+ for advanced 2FA-bypass versions) and host it either on bulletproof hosting, on compromised legitimate domains via web shells, or distribute it as a standalone attachment. Compromised WordPress sites and web-shell scripts are commonly used to upload and serve phishing pages from reputable domains, improving delivery and avoiding immediate takedowns.
For delivery, operators use a mix of hacked SMTP credentials, backdoor mailer interfaces injected into compromised websites (e.g., a hacked_mail_interface.php offering a mailer UI), or pre-owned mass-mailing service accounts (SendGrid/Amazon SES) purchased on Telegram; free or fresh PHP mailer samples can provide ~25,000 sends each, enabling hundreds of thousands of messages when combined. Crafting convincing HTML “Letters” (branded templates with obfuscation, invisible characters, and analytics) increases click rates and helps evade spam filters.
Finally, attackers buy or compile targeted leads (email lists) matching the campaign—for example, 100,000 Bank of America customers—to maximize success; stolen credentials harvested through the scampage are either exploited directly or sold up the criminal supply chain. The article’s example demonstrates assembling scampage ($30), mailer access, and a 100k leads list ($200) for a total ~$230 startup cost, illustrating how inexpensive components on Telegram can enable large-scale phishing operations.