Hordes of wannabe scammers without any IT knowledge now have a new tool at their disposal. Attackers, referring to their victims as “mammoths,” were themselves labeled as “Neanderthals” by ESET researchers for the level of skills required to use the new Telegram bot.
The new toolkit automates scamming so much that a “silver tongue to persuade their victims” is the only skill attackers need to have, researchers write after analyzing the bot's source code.
It‘s used to target buyers of online marketplaces looking for discounts, as it allows the creation of fake listings for goods that scammers neither own nor intend to sell. Once the victim pays, the listings disappear.
“This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once,” ESET warns.
Founders combined two words, “Telegram” and “kopye” (копье, the Russian word for spear) to name the toolkit Telekopye.
Telekopye creates phishing web pages from predefined templates, generates, and sends phishing emails and SMS messages. Telekopye is designed to target online marketplaces, mainly but not exclusively in Russia. Bot operators and users are organized in a clear hierarchy, with roles such as administrators, moderators, “good workers,” workers, or blocked.
“Victims of this scam operation are called Mammoths by the scammers and several leads point to Russia as the country of origin of the toolkit’s authors and users. For the sake of clarity, and following the same logic, we will refer to the scammers using Telekopye as Neanderthals.”
ESET Researchers are known to use a sense of humor in their work. A recently discovered cyberespionage group in Belarus was named MoustachedBouncer, after the Belarus dictator’s facial hair.
Several versions of Telekopye were observed in the wild, suggesting continuous development. Telekopye was uploaded to VirusTotal multiple times, primarily from Russia, Ukraine, and Uzbekistan, from where “Neanderthals” usually operate.
All versions allow the creation of phishing webpages, sending phishing emails, and SMS. Some versions can also store victims’ data, such as credit card details and email addresses. Other functionality includes creating QR codes, phishing screenshots, and image manipulation. Telekopye does not include chatbot AI functionality to help write messages.
The usual scam scenario looks like this:
- Scammers find their victims, communicate with direct messages, and try to earn their trust.
- When Neanderthals think that a Mammoth sufficiently trusts them, they use Telekopye to create a phishing web page from a premade template. The Neanderthal (scammer) sends the URL to the Mammoth (victim) via email or SMS.
- After the victim submits card details, the scammers steal money and use several techniques to hide them, usually in cryptocurrency.
Creating phishing HTML webpages is a core feature of Telekopye. Scammers need to specify the price, product name, and some additional information depending on the template. Created fake domains usually start with the brand name and are therefore harder to spot, i.e., “avito.id7423[.]ru/…”
“Neanderthals do not transfer money stolen from Mammoths to their own accounts. Instead, all the Neanderthals use a shared Telekopye account controlled by the Telekopye administrator. Telekopye keeps track of how successful each Neanderthal is by logging associated contributions to that shared account – either in a simple text file or a SQL database,” researchers explain.
The payment is split into three parts, the first one being the 5-40% commission to the Telekopye administrator. Telekopye employs a referral system, so the second commission goes to the recommender. And then, the actual payout to a scammer is made using a tool called “BTC Exchange bot.”
Users should be cautious when clicking on links in SMS messages or emails, even if they look as if they come from a reputable source. URLs are usually made to look like real links.
“Neanderthals are no strangers to email spoofing. A good rule of thumb is to ask yourself whether you bought something that would make reputable sources send you emails like that. If you are unsure, visit the supposed service’s website directly (not using the link in the email/SMS) and ask,” ESET recommends.
The clones mimic different payment/bank login sites, credit/debit card payment gateways, or payment pages of different websites. They’re not always perfect, but often, the finished template is unrecognizable from the original legitimate website.
More from Cybernews
Subscribe to our newsletter