Appearance
Searching on Telegram
WARNING
Please read the Tor query page first, as many elements of the user interface are shared between Tor and Telegram search results.
Understanding Telegram Search
Telegram is a popular messaging platform used globally for a variety of purposes, including public and private communications. However, it is also increasingly used by cybercriminals to share compromised information, including credentials, in what are known as "combo lists." Combo lists are collections of leaked credentials—typically usernames and passwords—that are often used in credential stuffing attacks or sold on the dark web.
OwlyScan leverages a curated list of Telegram channels that are known to contain such credential-related data. These channels are carefully monitored to identify early signs of credential exposure that could pose a threat to businesses.
What OwlyScan Indexes?
OwlyScan indexes text data from Telegram channels, specifically looking for data that resembles credentials. This may include passwords, usernames, email addresses, or other forms of identifiable information that could be leveraged in a cybersecurity attack.
OwlyScan does not index multimedia content such as images, videos, or audio files.
Writing a Query
OwlyScan's Telegram search allows you to search for credentials using various methods to ensure you get the most relevant results:
- Part of the URL: You can search for a complete part of the URL associated with the credential. This part must be delimited by characters such as '_', '-', '/', or '?' (if available).
- Domain Name: Enter the domain name to find credentials related to it.
- Exact Email: You can search for an exact email address.
- Password: Search for a complete password or the beginning of a password followed by '*'.
This flexibility allows for more precise targeting of credentials, enabling users to identify potential threats effectively.
Examples:
mydomain.commysuperpasswo*Running a Query
INFO
Telegram results are on the same page as the Tor results. To view them, click on the "Telegram" tab.
To initiate a search, simply enter the domain name you want to investigate and click the Launch Search button. A query token will be consumed upon submission.
Depending on the complexity of the search, results will be displayed within 20 to 30 seconds.
A search on Telegram includes:
- Collecting results that match the specified domain
- Generating exportable reports (in tabular format)
Interpreting the Results
Search results are presented with the following information:
- URL: The link to the Telegram message containing the potential credential.
- Date: The date the credential was posted on Telegram.
- Snippet: A snippet of text that may contain the credential itself.
Results are grouped based on the credentials. This grouping allows users to see all occurrences of a specific credential across different Telegram channels. This helps in identifying the spread and re-use of compromised information.
To expand the grouped results, click on them. To return to the general results list, click the blue Back to results list button:
Only the first 500 results are displayed initially. Users can click the Load more results button at the end of the page to load additional results, 500 at a time.
Reports can be exported by clicking the export button at the top of the page. This export will generate as many tabular files as there are multiples of 500 results.
WARNING
Avoid using the browser's back button, as it may disrupt the navigation experience.