Telekopye scamming tool for less technical attackers points to Russia, ESET Research discovers

Next story
Editor
  • Telekopye is a toolkit that operates as a Telegram bot and helps less technical scammers trick their victims.
  • The toolkit is designed to target online marketplaces; mainly those popular in Russia (but not exclusively – e.g., BlaBlaCar or eBay).
  • It has been uploaded to VirusTotal multiple times, primarily from Russia, Ukraine and Uzbekistan. These are the countries from which attackers usually operate and comprise the majority of targeted markets.
  • Telekopye creates phishing web pages from predefined templates, then generates and sends phishing emails and SMS messages.
  • According to ESET telemetry, this tool is still in use and in active development.
  • ESET Research devised the name Telekopye as combination of Telegram and kopye (копье), the Russian word for spear, due to the use of highly targeted (aka spear-) phishing.

BRATISLAVA, PRAGUE — August 24, 2023 — ESET researchers have recently discovered and analyzed Telekopye, a toolkit that helps less technical people pull off online scams more easily. ESET estimates that Telekopye has been in use since at least 2015. Telekopye capabilities include creating phishing websites, sending phishing SMS and emails, and creating fake screenshots. According to ESET telemetry, this tool is still in use and in active development. The toolkit is implemented as a Telegram bot. ESET Research devised the name Telekopye as a portmanteau of Telegram and kopye (копье), the Russian word for spear, due to the use of highly targeted (aka spear-) phishing. Several leads point to Russia as the country of origin of the toolkit’s authors and users.

“We discovered the source code of a toolkit that helps scammers so much in their endeavors that they don’t need to be particularly well versed in IT, instead they only need a silver tongue to persuade their victims. This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once,” elaborates ESET researcher Radek Jizba. “Victims of this scam operation are called Mammoths by the scammers. For the sake of clarity, and following the same logic, we refer in our findings to the scammers using Telekopye as Neanderthals,” explains Jizba.

Telekopye has been uploaded to VirusTotal multiple times, primarily from Russia, Ukraine and Uzbekistan. These are the countries from which attackers usually operate based on the language used in comments in the code and the location of the majority of targeted markets. Even though the main targets of scammers are online markets popular in Russia, like OLX and YULA, ESET has also observed targets that are not native to Russia, such as BlaBlaCar or eBay, and even others that have nothing in common with Russia, like JOFOGAS and Sbazar. The OLX platform had, according to Fortune magazine, 11 billion page views and 8.5 million transactions per month, a decade ago.

ESET was able to collect several versions of Telekopye, suggesting continuous development. The toolkit has several different functionalities that scammers can use to their full extent. These include sending phishing emails, generating phishing web pages, sending SMS messages, creating QR codes, and creating fake screenshots. In addition, some versions of Telekopye can store victim data (usually card details or email addresses) on disk where the bot is run.

Scammers do not transfer money stolen from victims to their own accounts. Instead, all the attackers use a shared Telekopye account controlled by the Telekopye administrator. Telekopye keeps track of how successful each scammer is by logging associated contributions to that shared account – either in a simple text file or a SQL database. As a consequence, scammers get paid by the Telekopye administrator deducting administrator fees. Groups of scammers using Telekopye are organized into a hierarchy with least to most privileges in five classes. Attackers from upper classes pay lower commission fees.

“The easiest way to tell whether you are being targeted by a Telekopye scammer, or any other scammer, is by looking for anomalies, mistakes and discrepancies in the language used. Insist on in-person money and goods exchange whenever possible when dealing with secondhand goods on online marketplaces and avoid sending money unless you are certain where it will go,” advises Jizba.

For more technical information about Telekopye, check out the blogpost “Telekopye: Hunting Mammoths using Telegram bot” on WeLiveSecurity.com. The second Telekopye blogpost, which will be released later, uncovers the inner working of the scam groups. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

About ESET

For more than 30 years, ESET® has been developing industry-leading IT security software and services to protect businesses, critical infrastructure, and consumers worldwide from increasingly sophisticated digital threats. From endpoint and mobile security to endpoint detection and response, as well as encryption and multifactor authentication, ESET’s high-performing, easy-to-use solutions unobtrusively protect and monitor 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company that enables the safe use of technology. This is backed by ESET’s R&D centers worldwide, working in support of our shared future. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.