Scammers Target Online Markets with Telekopye Phishing Toolkit – Source: securityboulevard.com

Bad actors are using a full-featured phishing toolkit to target large numbers of users of popular online shopping sites like eBay to steal their money and collect information like credit card account numbers.

The toolkit, which is implemented as a Telegram bot, comes with a broad array of automated features that make it easy for hackers to use to launch large-scale phishing campaigns, from creating phishing web pages to sending phishing emails and text messages to creating fake screenshots, according to Radek Jizba, a researcher with ESET.

The bot – dubbed Telekopye, a mashup of Telegram and kopye, the Russian word for “spear” – is like many malware-as-a-service (MaaS) operations in that it gives even low-skilled bad actors the capability to run broad phishing campaigns. At the same time, the operators behind the phishing toolkit have organized Telekopye in a highly hierarchical manner, from administrators at the top to moderators and workers, and use a formal and centralized operation to make payouts.

“When activated, [Telekopye] provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once,” Jizba wrote in a report, adding that the toolkit “helps less technical people pull off online scams more easily.”

Online Marketplaces are Easy Targets

Such phishing schemes take advantage of the preference of many people to buy products online due to the convenience and, at times, lower costs. Scammers can leverage this by creating listings for goods they don’t own and then stealing the money the user pays. This also can give them access to the victims’ credit card numbers and bank accounts.

Telekopye in one form or another has been around since 2015 and its operators and many of its users are likely Russian, Jizba wrote. The primary targets are popular Russian online marketplaces and many of the SMS templates are in Russian. The samples of the code uploaded to VirusTotal mostly come from Russia, Ukraine, and Uzbekistan.

ESET researchers collected several versions of Telekopye, which tells them that the toolkit is still being worked on. All versions can create phishing web pages and send the email and text messages, but some also can store victim data like payment card details and email addresses on a disk where the bot is run. The latest version of Telekopye grabbed by ESET was from April 2022, but the researchers last month detected new domains that fit into the mold of Telekopye operations.

Mammoths and Neanderthals

The scammers refer to their targets as “mammoths,” according to Jizba, so ESET is calling the scammers themselves “Neanderthals.”

The attack starts when the bad actors – the Neanderthal – finds a victim – the mammoth – and begins to try to gain their trust. When the victim is convinced the attacker is legitimate, the scammer moves to a premade template on Telekopye to create a phishing web page and sends the URL to the target via email or SMS.

“After the mammoth submits card details via this page, the Neanderthals use these card details to steal money from the Mammoth’s credit/debit card, while hiding the money using several different techniques such as laundering it through cryptocurrency,” Jizba wrote. “Based on several conversation snippets, we assess that some crypto mixers are involved.”

Multiple threat actors can use a phishing kit at the same time and the operation is relatively simple. The interface is essentially a click to do anything from creating the web page from a predefined HTML template – including plugging in details like a product name and the amount of money asked for – and then the buyer’s name and receiving address. Templates also are sorted by the countries they target.

A finished product is made to look like a web page from the online marketplace. There are indications that Telekopye developers are working on new features, from QR codes to possibly fake checks.

Organized and Centralized Operations

The behind-the-scene payment operations are highly centralized. The money collected by the scammers to a shared Telekopye account controlled by an administrator, with the bot keeping track of each bad actor’s track record by logging their contributions to the account.

The payments from the accounts include a 5% to 40% commission to the administrator depending on the version of Telekopye used and the role of the Neanderthal, another commission to the one responsible for recommending the bad actor, and finally the payout to the scammer.

To get a payment, the hacker needs to ask the administrator for a payout.

“In some Telekopye implementations, the first step, asking for a payout, is automated and the negotiation is initiated whenever a Neanderthal reaches a certain threshold of stolen money from successfully pulled off scams,” he wrote.

There also are set roles in the Telekopye operations. At the top are administrators and then moderators, who can promote, demote, and bring in members. Neanderthals all start in the worker role and hope to graduate up to “good worker/support bots,” which essentially means they get a larger percentage of the payout. A blocked person is denied access to Telekopye, likely as punishment for breaking rules.