BRATISLAVA, PRAGUE — November 23, 2023 — ESET researchers have recently discovered and analyzed Telekopye, a toolkit that helps less tech-savvy people pull off online scams more easily, with the first part of the research being published in August. In this second part, ESET Research focuses on scammers’ internal onboarding process, a detailed view of the whole scamming operation, and analysis of the scam scenarios.

The capabilities of Telekopye include creating phishing websites, sending phishing SMS texts and emails, and creating fake screenshots. According to ESET telemetry, this tool is still in use and in active development,and is implemented as a Telegram bot. Victims of this scam operation are called Mammoths by the scammers. For the sake of clarity, and following the same logic, ESET refers in its findings to the scammers using Telekopye as Neanderthals.

Telekopye groups recruit new Neanderthals via advertisements across many different channels, including underground forums. These advertisements clearly state the purpose: to scam online marketplace users. Aspiring Neanderthals are required to fill out an application, answering basic questions like what experience they have in this line of “work.” If approved by existing group members with sufficiently high rank, the new Neanderthals can start using Telekopye to its full potential.

There are three main scam scenarios: seller, buyer, and refund. In the seller scam, attackers pose as sellers and try to lure unsuspecting victims into buying some nonexistent item. When the victim shows interest in the item, the “seller“ persuades him them to pay online rather than in person and provides a link to a phishing website posing as a legitimate payment site. Unlike the legitimate web page, though, this page asks for an online banking login, credit card details (sometimes including balance), or other sensitive information. The phishing website automatically steals it.

In the buyer scam, attackers pose as buyers, researching victims to target. They show interest in an item and claim they’ve already paid via the provided platform. Then they send the victim an email or SMS message (created via Telekopye) with a link to a carefully crafted phishing website, claiming that the victim needs to click this link in order to receive their money from the platform. The rest of the scenario is very similar to the “seller“ scam. In the refund scenario, attackers create a situation where the victim is expecting a refund and subsequently send them a phishing email with a link to the phishing website, once again serving the same purpose.

“In almost every group of Neanderthals, we can find references to manuals with online market research from which Neanderthals draw their strategies and conclusions,” says ESET researcher Radek Jizba, who investigated Telekopye. “For example, during the buyer scam scenario, Neanderthals choose their targets based on the type of items they are selling. For instance, some groups avoid electronics completely. The price of the item is also important. Manuals recommend that Neanderthals, in the buyer scam scenario, pick items with a price between €9.50 to €290,” he adds. Additionally, attackers using Telekopye utilize web scrapers to quickly go through many online marketplace listings and pick a “perfect victim” who will most likely fall for the scam.

Telekopye attackers believe that their groups are full of “rats” (for example, law enforcement or researchers). Thus, they religiously stick to the rules; mainly, no probing for information that could identify other members of the group. Breaking such rules may very well result in being banned. The golden rule is “Work more, talk less.”

Even though the main targets of scammers are online markets popular in Russia, such as OLX and YULA, ESET has also observed targets that are not native to Russia, such as BlaBlaCar and eBay, and even others that have nothing in common with Russia, like Jófogás and Sbazar.