Making a Telegram HoneyBot to identify anonymous users of the “most secure” messenger


Telegram is increasingly becoming a thorn in the ass of law enforcement officers in different countries. According to analysts at KELA, for example, the messenger app has become “a thriving ecosystem for cybercriminals and will likely continue to be a serious problem for law enforcement.”

Classic methods of identifying messenger users, based on checking the number capacity of mobile operators for the presence of Telegram accounts, practically no longer work. On the one hand, it is strangled by the limitations of the messenger itself, and on the other, by the ability to register an account with a virtual phone number.

The only method for identifying anonymous Telegram users within the framework of active OSINT remains the use of the so-called. Trap bots, or as we call them, Telegram HoneyBots. We will talk about them and how to create them in this article.

DISCLAIMER: This article is written for informational purposes and is not a guide to illegal actions or training material for concealing offenses. Let me remind you that active activities within the framework of OSINT can be qualified as illegal conduct of operational-search activities and an invasion of privacy.

What is Telegram HoneyBot? This is a morph of the words Honeypot and Telegram Bot. Honeypot (from English - a pot of honey) is a resource that is a bait for attackers. Telegram Bot is an account in the messenger that is programmed to automatically perform specified actions.

The functionality of Telegram Bot involves the ability to request from its users a mobile phone number linked to the account, as well as obtain the current geolocation. For obvious reasons, most users are not eager to transfer this data to anyone. Therefore, it is necessary to disguise their transmission. The easiest way to do this is to disguise our HoneyBot as a bot for checking information. There are so many such bots in the messenger that a new one will not cause any other reaction than the desire to automatically check its functionality. Let's play on this...

To start constructing HoneyBot, we should go to BotFather and enter the [/newbot] command in it, which will launch the functionality for registering a new bot. Select a name and nickname for the bot you are creating, then copy its API key.


Now we need to assemble the functional part of HoneyBot using one of the popular chatbot builders in Telegram: Livegram, Manybot or FleepBot to keep HoneyBot running. Personally, I choose FleepBot because it has a free trial for full functionality.

The following description is for FleepBot. We launch the chatbot designer and enter into it the API key obtained earlier in BotFather. The bot has been created. Now we need to configure its ability to request the user's phone number or geolocation. To do this, go to [Bot Management] - [Menu] - [Main Menu] - [+] - where we select the [Contact] or [Location] function, depending on what information about the user we expect to collect. We write a name for the button that will request this information from HoneyBot users. Nobody limits us here. The simplest option for the button name is [Check number].

Return to BotFather, where we enter the command [/mybots]. We select the HoneyBot we created, click [Edit Bot], after which we edit the avatar and description of the bot so that it looks like one of the bots for punching information. Our task is for the HoneyBot user to safely enter any phone number into it, and then click on the [Check number] button, or whatever we called it there.


That's it, HoneyBot is ready to use. After the user confirms with Telegram sending his phone number to the bot, we will receive it by message to the HoneyBot administrator account. This works similarly for obtaining geolocation. Only the HoneyBot description may differ.

At the beginning of the article, we talked about the fact that Telegram users are increasingly using disposable SIM cards and virtual phone numbers to register accounts in the messenger. This means that an identified mobile phone number cannot always lead us to the real owner of a particular account. Therefore, HoneyBot functionality needs to be supplemented with the ability to obtain a digital fingerprint (connection and device data) of the user. Go...

We should prepare several html files. This could be, for example, a blank web page and a pre-created beautiful phone number verification report. We go to one of the services for creating loggers: CanaryTokens or IPlogger, where we create a transparent tracking pixel. We place a link to this pixel in each of the html files. The trap is ready.


Now we have one beautiful report in the form of an html file. From your work Telegram account, contact your HoneyBot with a verification request. In response, we send ourselves the same html file. Now we have a bot response containing a completed report. We forward this response to the chat or personal message of the user we want to identify.

If he doesn’t open the attached file, he will probably want to test the work of our HoneyBot, where he can either reveal his phone number, or grab a second html file loaded with a logger, which will supposedly be at his request to HoneyBot. As soon as this or that html file is opened on the user’s device, we will be able to obtain data about his connection and device in the logger administrator’s personal account.

Igor S. Bederov

Comments

Post a Comment

Popular posts from this blog

Top of my free OSINT tools in 2023

Image
In this article, we will look at the tools that are used every day in my work related to the investigation of crimes. Last year was tough but interesting. Some developments stopped working in Russia. Many, on the contrary, were created in our country. Including with my participation. So let’s go! Datashare and Pinpoint Datashare Pinpoint Datashare and Pinpoint are for eDiscovery… The term is unfamiliar for Russia, so I’ll explain it. eDiscovery is the process of identifying, collecting, validating, and analyzing digital evidence. If it is quite simple — the electronic material of the investigation. Compare, 10 volumes of a criminal case or a link to a similar case that can be shared online with external users, and it also has the ability to end-to-end analytics and search through materials. In other words, a must have for the execution of investigations. Archivarius 3000 and DtSearch Archivarius 3000 DtSearch Archivarius 3000 and DtSearch are designed to work with arrays of textual
Read more

OSINT by nickname…

Image
OSINT by nickname is the process of collecting and analyzing information about a nickname on the Internet. Thanks to this collection method, we can build a chain of all mentions on the Internet, be it social networks or websites. WhatsMyName — a simple, fast and reliable service. Presented as an online service and open source software . Checks the presence of a nickname (strict compliance only) on 600 web resources. Also displays results from Google’s main search results and document searches. It does not provide additional types of search. Maigret is a more advanced service. Presented in the form of a Telegram bot and open source software . Checks the presence of a nickname (strict compliance only) on 3000 web resources. Allows you to upload an extended report on the inspection performed, including additional data on identified profiles. It does not provide additional types of search. mailcat is a service designed to search for the use of a nickname as part of an electronic address
Read more

Identification of web resource owners

Image
A WEBSITE (or simply a site) is a collection of web pages and related resources that are accessible via the Internet. Each web page within a site has a unique URL (Uniform Resource Locator) that allows users to easily find and access a specific page. Web pages are usually linked together by hyperlinks to enable navigation throughout the site. Websites can be static or dynamic. A static site consists of pre-built web pages that remain the same for all users. A dynamic website is built on templates and a database, which allows you to generate unique content and interact with users. WHO IS THE OWNER OF THE SITE? The site owner is the person or organization that owns the domain name and/or hosting. Depending on his status, he can be an individual or a legal entity. A website administrator is usually the name of the person or group of people responsible for managing and maintaining the site. It can perform tasks such as hosting management, installing and updating software, backing up data,
Read more