New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia

Cyber Security Threat Summary:
A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals. ‘This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once,’ ESET researcher Radek Jizba said in a report shared with The Hacker News. The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates and the fact that a majority of the targeted online marketplaces are popular in the country. Multiple versions of Telekopye have been detected to date, the earliest dating all the way back to 2015, suggesting that it's being actively maintained and used for several years” (The Hacker News, 2023).

Security Officer Comments:
In the campaign observed by researchers, the attack chain starts off with victims receiving a malicious link created by the Telekopye phishing kit. This link is sent in the form of an email, SMS, or direct message. Clicking on the link redirects the victim to a phishing page, masquerading as an online marketplace. When a victim makes a purchase, their card details are siphoned, which can be further used to make purchases/steal funds using various techniques that are further launched through cryptocurrency. At the same time, the threat actors have been observed creating fake invoices to arouse suspicion, which can be automated using the Telekopye toolkit.

“A notable aspect of the operation is the centralized nature of the payouts. Rather than transferring money stolen from Mammoths to their own accounts, it's funneled to a shared account managed by the Telekopye administrator, giving the core team an oversight into the operations of each Neanderthal. In other words, Neanderthals get paid by the Telekopye administrator after requesting for a payout through the toolkit itself, but not before a chunk of it is taken as commission fees to the platform owner and the recommender” (The Hacker News, 2023

Suggested Correction(s):
(ESET) The easiest way to tell whether you are being targeted by a Neanderthal trying to steal your money is by looking at the language used. It can be the language used in conversation, email, or on the web page itself. Sadly, this is not foolproof, and it has been observed that some of these scam attempts have ironed out grammar and vocabulary mistakes.

Insist on in-person money and goods exchange whenever possible when dealing with secondhand goods on online marketplaces. Such trades are not protected by well-known institutions or services. These scams are only possible because Neanderthals pretend they already paid online/sent an item. Sadly, sometimes in-person delivery is not possible and in that case you need to be extra careful.

Be extra careful when clicking on links in SMS messages or emails, even if they look as if they come from a reputable source. Neanderthals are no strangers to email spoofing. A good rule of thumb is to ask yourself whether you bought something that would make reputable sources send you emails like that. If you are unsure, visit the supposed service’s website directly (not using the link in the email/SMS) and ask. Most of these pages have customer support and they will happily give you a hand.