6 months ago
ARTICLE AD BOX
The increasing fame of online marketplaces has attracted fraudsters preying connected unsuspecting buyers and sellers, looking to people costs paper accusation alternatively than to onslaught a bargain. ESET researchers person recovered that 1 specified organized scammer web – which uses Telekopye, a toolkit discovered by ESET Research successful 2023 – has expanded its operations to target users of celebrated accommodation booking platforms.
Last year, we published a two-part blogpost bid connected Telekopye, a Telegram-based toolkit cybercriminals usage to scam group connected online marketplaces. The first part focused connected Telekopye’s cardinal features, while nan second part examined nan soul workings of nan affiliated scam groups. In this blogpost, we travel up connected what has changed successful Telekopye operations since our past publication, based connected our continued tracking. We look into really these scammer groups person branched retired to targeting Booking.com and Airbnb, arsenic good arsenic their various different efforts to optimize their operations and maximize financial gain. Last but not least, we supply guidance connected really to enactment protected from these scams.
We presented our updated findings connected Telekopye astatine nan Virus Bulletin conference connected October 2nd, 2024, and successful our achromatic paper, which you tin publication successful afloat here. The insubstantial was besides published connected nan Virus Bulletin website.
Key points of this blogpost:
- ESET Research shares updated findings connected Telekopye, a scam toolkit designed to thief cybercriminals defraud group connected online marketplaces.
- While our erstwhile investigation explored nan technical and organizational background of Telekopye scams, our latest investigation describes nan scammers’ various efforts to maximize their financial gains – expanding their unfortunate pool, taking advantage of seasonal opportunities, and improving their devices and operations.
- Most notably, Telekopye groups person expanded their targeting to celebrated accommodation booking platforms, specified arsenic Booking.com and Airbnb.
- This caller scam script comes pinch a targeting twist, utilizing compromised accounts of morganatic hotels and accommodation providers.
- These scams were particularly prevalent successful nan summertime vacation play successful nan targeted regions, surpassing Telekopye marketplace scams, according to ESET telemetry.
Telekopye overview
Telekopye is simply a toolkit that operates arsenic a Telegram bot, chiefly serving arsenic a Swiss Army weapon for turning online marketplace scams into an organized illicit business. It is utilized by dozens of scam groups, pinch up to thousands of members, to bargain millions from Mammoths, arsenic they telephone nan targeted buyers and sellers. Neanderthals, arsenic we telephone nan scammers, require small to nary method knowledge – Telekopye takes attraction of everything successful a matter of seconds.
Discovered by ESET Research successful 2023, Telekopye has been successful usage since astatine slightest 2016, pinch victims each complete nan world. Multiple leads constituent to Russia arsenic nan state of root of nan bot’s author(s) and besides nan scammers utilizing it. Telekopye is designed to target a ample assortment of online services successful Europe and North America, specified arsenic OLX, Vinted, eBay, Wallapop, and others. At nan clip of writing, we person counted astir 90 different services being targeted by nan scams.
Neanderthals – members of immoderate Telegram group utilizing Telekopye – summation entree to nan bot’s UI, which enables elemental procreation of phishing emails, SMS messages, web pages, and different features.
Telekopye groups person a business-like operation, pinch a clear hierarchy, defined roles, soul practices – including admittance and mentoring processes for newcomers – fixed moving hours, and committee payouts for Telekopye administrators. The Workers performing nan scams must move complete immoderate delicate accusation stolen, and do not really bargain immoderate money – that is managed by different roles successful nan organization. Each group keeps a transparent chat of each transactions, visible to each members.
Neanderthals utilize 2 main scenarios for targeting online marketplaces – 1 wherever they airs arsenic sellers and another, overmuch much common, wherever they airs arsenic buyers. Both scenarios extremity pinch nan victim/Mammoth entering costs paper accusation aliases online banking credentials into a phishing web page mimicking a costs gateway.
Recently, Telekopye groups person expanded their targeting by adding support for scamming users of celebrated online platforms for booking accommodation, which we screen successful nan pursuing section.
Branching retired to accommodation booking platforms
In 2024, Telekopye groups person expanded their scamming playbook pinch schemes targeting users of celebrated online platforms for edifice and flat reservations, specified arsenic Booking.com and Airbnb. They person besides accrued nan sophistication of their unfortunate action and targeting.
Targeting pinch a twist
In this caller scam scenario, Neanderthals interaction a targeted personification of 1 of these platforms, claiming that location is an rumor pinch nan user’s booking payment. The connection contains a nexus to a well-crafted, legitimate-looking web page mimicking nan abused platform.
The page contains prefilled accusation astir a booking, specified arsenic nan check-in and checkout dates, price, and location. This comes pinch a troubling twist: nan info provided connected nan fraudulent pages matches real bookings made by nan targeted users.
The Neanderthals execute this by utilizing compromised accounts of morganatic hotels and accommodation providers connected nan platforms, which they astir apt entree via stolen credentials purchased connected cybercriminal forums. Using their entree to these accounts, scammers azygous retired users who precocious booked a enactment and haven’t paid yet – aliases paid very precocious – and interaction them via in-platform chat. Depending connected nan level and nan Mammoth’s settings, this leads to nan Mammoth receiving an email aliases SMS from nan booking platform.
This makes nan scam overmuch harder to spot, arsenic nan accusation provided is personally applicable to nan victims, arrives via nan expected connection channel, and nan linked, clone websites look arsenic expected. The only visible motion of thing being amiss are nan websites’ URLs, which do not lucifer those of nan impersonated, morganatic websites. Neanderthals whitethorn besides usage their ain email addresses for nan first connection (rather than nan compromised accounts), successful which lawsuit nan emails mightiness beryllium much easy recognized arsenic malicious.
Once nan target fills retired nan shape connected nan phishing page (Figure 1), they are brought to nan last measurement of nan “booking” – a shape requesting costs paper accusation (Figure 2). As successful nan marketplace scams, paper specifications entered into nan shape are harvested by nan Neanderthals and utilized to bargain money from nan Mammoth’s card.
Figure 1. Example of a clone Booking.com shape created by Telekopye
Figure 2. Example of a clone Booking.com costs shape created by Telekopye
According to ESET telemetry, this type of scam started gaining traction successful 2024. As seen successful Figure 3, nan accommodation-themed scams saw a crisp uptick successful July, surpassing nan original Telekopye marketplace scams for nan first time, pinch much than double nan detections during that month. In August and September, nan discovery levels for nan 2 categories evened out.
As this summation coincides pinch nan summertime vacation play successful nan targeted regions – premier clip for taking advantage of group booking stays – it remains to beryllium seen whether this inclination will continue. Looking astatine nan wide 2024 data, we tin spot that these newer scams person amassed astir half of nan discovery numbers of nan marketplace variants. This is noteworthy considering that nan newer scams attraction connected 2 platforms only, compared to nan wide assortment of online marketplaces targeted by Telekopye.
Figure 3. Types of online services targeted by Telekopye successful 2024, seven-day moving mean discovery trend
Advanced Telekopye features
Besides diversifying their target portfolio, Neanderthals person besides improved their devices and operations to summation their financial returns.
Throughout our search of Telekopye, we’ve observed that different Telegram groups instrumentality their ain precocious features into nan toolkit, aimed astatine speeding up nan scam process, improving connection pinch targets, protecting phishing websites against disruption by competitors, and different goals.
Automated phishing page generation
To velocity up nan process of creating scam materials for posing arsenic buyers connected marketplaces, Neanderthals implemented web scrapers for celebrated targeted platforms. With these, only nan URL to nan merchandise is required, alternatively of having to manually capable retired a questionnaire astir nan targeted Mammoth and merchandise successful question. Telekopye parses nan web page and extracts each basal accusation automatically, providing a important speedup for nan scammers.
Interactive chatbot pinch on-the-fly translation
Neanderthals support a ample postulation of predefined answers to questions commonly asked by Mammoths. These are translated into various languages and kept arsenic portion of soul documentation, pinch nan translations perfected complete nan years.
Neanderthals typically usage these predefined phrases to effort to nonstop nan Mammoth to nan phishing website, which comes pinch a chatbot successful nan little correct corner. Any connection nan Mammoth enters into nan chat is forwarded to nan Neanderthal’s Telegram chat, wherever it is automatically translated. Automatic translator of Neanderthals’ messages is not supported – Neanderthals construe their messages manually, usually utilizing DeepL. Figure 3 shows really specified an relationship looks from nan Neanderthal’s and Mammoth’s points of view.
Figure 4. Chatbot illustration from Neanderthal’s (left) and Mammoth’s (right) points of view. Neanderthal messages were instrumentality translated from Russian to English.
Anti-DDoS measures
The immense mostly of nan phishing websites are serviced by Cloudflare, relying connected that service’s added protection, chiefly against crawlers and automatic analysis. Interestingly, immoderate of nan Telekopye phishing websites besides travel pinch DDoS protection included. According to nan Neanderthals’ knowledge base, which we obtained by infiltrating their ranks, this characteristic intends to protect against attacks by rival groups. These are sometimes launched arsenic a intends to disrupt a competitor’s operations for a short period.
Law enforcement operations
In precocious 2023, aft ESET Research had published its two-part bid connected Telekopye, Czech and Ukrainian constabulary arrested tens of cybercriminals utilizing Telekopye, including nan cardinal players, successful 2 associated operations. Both operations were aimed against an unspecified number of Telekopye groups, which had accumulated astatine slightest €5 cardinal (approximately US$5.5 million) since 2021, based connected constabulary estimates.
Besides nan evident occurrence successful disrupting specified criminal activities, nan arrests provided caller insights into nan groups’ workings, astir notably recruitment and employment practices. The groups successful mobility were managed, from dedicated workspaces, by middle-aged men from Eastern Europe and West and Central Asia. They recruited group successful difficult life situations, done occupation portal postings promising “easy money”, arsenic good arsenic by targeting technically skilled overseas students astatine universities.
Some perpetrators confessed that they besides participated successful different scam group, akin to nan Telekopye ones, that utilized telephone centers. The constabulary learned that nan recruits successful that cognition were often stripped of their passports and individual IDs to make quitting very difficult. Further, nan managers sometimes went truthful acold arsenic to frighten nan unit and their family members. This chilling improvement puts these operations into a wholly different light.
Recommendations
The champion measurement to enactment protected against scams driven by Telekopye is being alert of Neanderthals’ strategies and exercising be aware connected nan affected platforms. Besides knowing what reddish flags to salary attraction to, we powerfully urge utilizing a reputable antimalware solution connected your instrumentality to measurement successful if you do extremity up being lured to a phishing website.
Online marketplace scams
- Always verify nan personification you are talking with, chiefly their history connected nan platform, property of their account, rating, and location – a location excessively acold away, a caller relationship pinch nary history, aliases a bad standing mightiness beryllium indicators of a scammer.
- With nan improvements successful instrumentality translation, messages from a scammer mightiness not raise immoderate reddish flags successful position of grammar. Rather than focusing connected nan language, attraction connected nan speech itself – overly eager aliases assertive connection should raise immoderate concerns.
- Keep nan connection connected nan platform, moreover if nan personification you’re talking to suggests otherwise. Their unwillingness to enactment connected nan level should beryllium a awesome reddish flag.
- If you are a buyer, usage unafraid interfaces wrong nan level passim nan full buying process, whenever available. Otherwise, insist connected in-person speech of equipment and money, aliases put for your prime of reliable transportation services pinch nan action to salary connected delivery.
- If you are a seller, usage unafraid interfaces wrong nan level passim nan full trading process, whenever available. Otherwise, negociate transportation options yourself and don’t work together to those offered by nan buyer.
- If you get to a constituent wherever you do sojourn a nexus sent by nan personification you are talking to, beryllium judge to cautiously cheque nan URL, content, and certificate properties of nan website earlier engaging pinch it.
Accommodation booking scams
- Before filling retired immoderate forms related to your booking, ever make judge you haven’t near nan charismatic website aliases app of nan level successful question. Being directed to an outer URL to proceed pinch your booking and costs is an parameter of a imaginable scam.
- Because this scam uses compromised accounts of accommodation providers, contacting nan providers straight is not a reliable measurement of verifying nan legitimacy of costs requests. When successful doubt, interaction nan charismatic customer support of nan level (Booking.com, Airbnb) aliases study a information rumor (Booking.com, Airbnb).
- To protect your relationship from compromise, whether you’re booking accommodation aliases renting 1 out, usage a beardown password and alteration two-factor authentication wherever available.
Conclusion
Our investigation into Telekopye activities has fixed america unsocial insights into these scams: we were capable to understand nan method intends down nan scope of nan operations, nan business broadside of Telekopye groups, and moreover study astir Neanderthals themselves.
We person described nan groups’ various efforts to maximize their financial gains, including expanding their unfortunate pool, taking advantage of seasonal opportunities, and improving their devices and operations. Most notably, we person elaborate nan Neanderthals’ newest attack of targeting accommodation booking platforms, which besides comes pinch much blase targeting.
It is worthy noting that we person communicated pinch respective platforms targeted by Telekopye passim our research; they are afloat alert of these scams and confirmed they person employed respective strategies to combat them. However, be aware is still advised for users owed to nan number of nan scams and their continuous evolution.
For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com.
ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.
IoCs
Files
| SHA-1 | Filename | Detection | Description |
| E815A879F7F30FB492D4043F0F8C67584B869F32 | scam.php | PHP/HackTool.Telekopye.B | Telekopye bot. |
| 378699D285325E905375AF33FDEB3276D479A0E2 | scam.php | PHP/HackTool.Telekopye.B | Telekopye bot. |
| 242CE4AF01E24DB054077BCE3C86494D0284B781 | 123.php | PHP/HackTool.Telekopye.A | Telekopye bot. |
| 9D1EE6043A8B6D81C328C3B84C94D7DCB8611262 | mell.php | PHP/HackTool.Telekopye.B | Telekopye bot. |
| B0189F20983A891D0B9BEA2F77B64CC5A15E364B | neddoss.php | PHP/HackTool.Telekopye.A | Telekopye bot. |
| E39A30AD22C327BBBD2B02D73B1BC8CDD3E999EA | nscode.php | PHP/HackTool.Telekopye.A | Telekopye bot. |
| 285E0573EF667C6FB7AEB1608BA1AF9E2C86B452 | tinkoff.php | PHP/HackTool.Telekopye.A | Telekopye bot. |
Network
| IP | Domain | Hosting provider | First seen | Details |
| N/A | 3-dsecurepay[.]com | Cloudflare, Inc. | 2024-05-30 | Telekopye phishing domain. |
| N/A | approveine[.]com | Cloudflare, Inc. | 2024-06-28 | Telekopye phishing domain. |
| N/A | audittravelerbookdetails[.]com | Cloudflare, Inc. | 2024-06-01 | Telekopye phishing domain. |
| N/A | btsdostavka-uz[.]ru | TIMEWEB-RU | 2024-01-02 | Telekopye phishing domain. |
| N/A | burdchoureserdoc[.]com | Cloudflare, Inc. | 2024-05-31 | Telekopye phishing domain. |
| N/A | check-629807-id[.]top | Cloudflare, Inc. | 2024-05-30 | Telekopye phishing domain. |
| N/A | contact-click2399[.]com | Cloudflare, Inc. | 2024-05-26 | Telekopye phishing domain. |
| N/A | contact-click7773[.]com | Cloudflare, Inc. | 2024-05-30 | Telekopye phishing domain. |
| N/A | get3ds-safe[.]info | Cloudflare, Inc. | 2024-05-31 | Telekopye phishing domain. |
| N/A | hostelguest[.]com | Cloudflare, Inc. | 2024-05-30 | Telekopye phishing domain. |
| N/A | order-9362[.]click | Cloudflare, Inc. | 2024-05-29 | Telekopye phishing domain. |
| N/A | shiptakes[.]info | Cloudflare, Inc. | 2024-05-29 | Telekopye phishing domain. |
| N/A | quickroombook[.]com | Cloudflare, Inc. | 2024-06-02 | Telekopye phishing domain. |
| N/A | validation-confi[.]info | Cloudflare, Inc. | 2024-05-29 | Telekopye phishing domain. |
MITRE ATT&CK techniques
This array was built utilizing version 15 of nan MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
| Reconnaissance | T1589 | Gather Victim Identity Information | Telekopye is utilized to stitchery costs paper details, telephone numbers, email addresses, etc. via phishing web pages. |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | Telekopye operators registry their ain domains. |
| T1585 | Establish Accounts | Telekopye operators found accounts astatine online marketplaces. | |
| T1585.002 | Establish Accounts: Email Accounts | Telekopye operators group up email addresses associated pinch nan domains they register. | |
| T1586.002 | Compromise Accounts: Email Accounts | Telekopye operators usage compromised email accounts to summation their stealthiness. | |
| T1587.001 | Develop Capabilities: Malware | Telekopye is civilization malware. | |
| T1588.002 | Obtain Capabilities: Tool | Telekopye operators usage further bots to launder money, scrape marketplace research, and instrumentality DDoS protection. | |
| Initial Access | T1566.002 | Phishing: Spearphishing Link | Telekopye sends email aliases SMS messages that incorporate links to phishing websites. |
| Collection | T1056.003 | Input Capture: Web Portal Capture | Web pages created by Telekopye seizure delicate accusation and study it to nan operators. |
English (US) · 
Indonesian (ID) · 