Unveiling a novel, financially motivated endeavor, a sinister Telegram Bot is now being harnessed by threat actors to facilitate scams.
Termed “Telekopye,” a fusion of “Telegram” and “kopye” (Russian for “spear”), this toolkit operates as an automated instrument for crafting phishing web pages from pre-existing templates. The malicious URL is dispatched to prospective victims, referred to as “Mammoths” within the criminal circle.
ESET researchers emphasized that this toolkit adopts a Telegram bot interface, offering easily navigable menus in the form of clickable buttons. This user-friendly design caters to multiple scammers concurrently, streamlining their malevolent efforts.
While the precise origins of the culprits, dubbed “Neanderthals,” remain shrouded in uncertainty, evidence points to Russia as the probable source of the toolkit’s architects and users. This is indicated by the use of Russian SMS templates and the fact that a significant portion of the targeted online marketplaces holds popularity within the country.
Various iterations of Telekopye have been identified, dating back to as early as 2015, suggesting its continuous maintenance and sustained use over multiple years.
The modus operandi of the attack unfolds as follows: Neanderthals establish contact with their Mammoths, building a rapport before transmitting a deceptive link generated through the Telekopye phishing kit, delivered via email, SMS, or direct messages.
Upon entering payment details into the counterfeit credit/debit card gateway, the stolen information is exploited to syphon Funds from the victim. These funds are subsequently laundered through cryptocurrency channels.
The functionality of Telekopye is comprehensive, granting users the ability to dispatch phishing emails, generate web pages, send SMS messages, create QR codes, and fabricate authentic-seeming images and screenshots of checks and receipts.
To make the malicious pages less conspicuous, the phishing domains are registered in such a way that the final URL starts with the anticipated brand name. For instance, domains like cdek.id7423[.]ru, olx.id7423[.]ru, and sbazar.id7423[.]ru are employed.
Noteworthy in this operation is the centralized nature of the monetary transfers. Instead of redirecting stolen funds to individual accounts, the funds are channeled to a communal account overseen by the Telekopye administrator. This setup provides the core team with insights into the activities of each Neanderthal.
In essence, Neanderthals request payouts via the Telekopye toolkit, and the administrator authorizes the final transfer of funds to the Neanderthal’s cryptocurrency wallet. However, a portion is retained as commission fees for both the platform owner and the recommender.
Telekopye evaluates the Neanderthal’s balance, the Telekopye administrator approves the final request, and funds are eventually dispatched to the Neanderthal’s cryptocurrency wallet. Some implementations of Telekopye automate the initial step of requesting a payout, triggering negotiations when a Neanderthal crosses a specified threshold of ill-gotten gains from successful scams.
Marking a further sign of the criminal enterprise’s professionalism, users and operators of Telekopye are organized into a distinct hierarchy encompassing roles such as administrators, moderators, good workers (support bots), regular workers, and those who are blocked.
