1/9 Look for any strings or traffic that call out to api.telegram.org . If you see something like: 'api.telegram[.]org/bot12345:base64key/endpoint?chat_id=-12345', you're in business
8/9 And the really interesting one, although I've had mixed results. Set a webhook on the bot! If the actor has not-so-great opsec on the bot, you can get messages and people interacting with the bot sent to your own webhook! core.telegram.org/bots/api#setwe…
9/9 Thats all I got. Happy hunting!
If you have a #phishing page or #phishingkit and need help analyzing, shoot me a tweet or a DM. Have some great open source stuff coming through the pipe to reverse engineer kits.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/13 Nothing can absolutely go wrong with privacy or people abusing this.. Oh wait. Lets do some OSINT. Maybe we can uncover some stuff for Maryland to show how unsolicited phone calls/mails/texts can be made more legit if you just were more.. official.
2/13 According to this FOX Baltimore article.. "..The innovative COVID Link platform uses medical data from the Chesapeake Regional Information System for our Patients (CRISP) and incorporates it into Salesforce" foxbaltimore.com/news/local/hog…
3/13 So what is CRISP? Simple google search should suffice. This landed me on crisphealth.org, with this picture as the landing page. lets poke around!