Security researchers from ESET have discovered a toolkit called Telekopye that even less tech-savvy people can use to commit online fraud.
The creators of Telekopye developed a sophisticated internal recruitment process for new accomplices, conduct intensive market research to target victims and provide comprehensive instructions for targeted fraud. Of course, there is also a clear set of rules that all criminals must strictly adhere to.
“Cybercrime is a highly professional business. Even if the perpetrators are often called ‘gangs’ or ‘hacker groups’: Behind them are illegal but highly professional companies with state-of-the-art structures. Only very few people would suspect that marketing, market research, personnel searches and financial accounting are being carried out digitally in an illegal environment,” says security expert Christian Lueg from ESET.
More than just a toolkit: Telekopye
With Telekopye, even would-be hackers can easily create phishing websites, send phishing text messages and emails and take fake screenshots. According to ESET Telemetry, this tool is still in use and is being actively developed. For example, a Telegram bot has been implemented to help the criminals with their actions. Interestingly, the fraudsters call themselves “Neanderthals” and refer to the potential victims of their scams as “mammoths”.
“Employee search” with a system
Telekopye groups recruit new Neanderthals through advertisements on many different channels, including underground forums. In these ads, the goal is stated bluntly: to defraud users of online marketplaces. Prospective “Telekopye employees” have to fill out an application form – just like in the legal corporate world – in which they answer basic questions, such as what experience they have in this “profession”. If they are accepted by existing group members of a relatively high rank, the new Neanderthals can utilize the full potential of Telekopye.
Fraud scenarios: Seller, buyer and refund fraud
In the case of seller fraud
the attackers pretend to be sellers and try to trick unsuspecting victims into buying a non-existent item. If the victim shows interest in the item, they receive a link to the alleged payment page. Behind this, however, is a phishing page in the guise of a legitimate transaction website. Unlike a legitimate website, it requests online banking credentials, credit card details (sometimes including account balance) or other sensitive information. The phishing site steals this data automatically.
In the case of buyer fraud
the attackers pretend to be buyers and specifically look for victims. They show interest in an item and pretend to have already paid for it via the platform provided. They then send the victim an email or SMS message (via Telecopye) with a link to a carefully designed phishing website. They then claim that the victim must click on this link in order to receive their money from the platform. The rest of the scenario is very similar to seller fraud.
In the case of refund fraud
the attackers create a situation where the victim is expecting a refund and then send them a phishing email with a link to a phishing website that steals sensitive data, just like the other scams.
“In almost every group of Neanderthals, we find references to online market research manuals from which the Neanderthals draw their strategies and conclusions,” says ESET researcher Radek Jizba, who studied Telekopye. “In the buyer fraud scenario, for example, the Neanderthals choose their targets based on the type of items for sale. Some groups avoid electronic items altogether. The price of the item also plays a role. The manuals recommend that the Neanderthals select items with a price between 9.50 and 290 euros in the buyer fraud scenario,” he adds. Furthermore, Telekopye’s attackers use web scrapers to quickly search through many listings on online marketplaces to find a “perfect victim” who is most likely to fall for the scam.
Golden rules are mandatory
The attackers behind Telekopye firmly believe that law enforcement agencies and researchers have also crept into their groups. A strict code of conduct has been developed to prevent these “rats” from having a chance. Everyone must adhere to it without exception. For example, it is strictly forbidden to search for information that could identify other group members. Breaking these rules can lead to expulsion from the group. The golden rule is: “Work more, talk less”.
Until recently, the scammers focused on popular Russian online markets such as OLX and YULA. They are now expanding to international platforms such as BlaBlaCar and eBay.