Anti-Phishing, DMARC , Cryptocurrency Fraud , Cybercrime
Russian Toolkit Aims to Make Online Scamming Easy for Anyone
Fraudster Users Call Victims 'Mammoths,' Leading Eset to Dub Them 'Neanderthals'A toolkit likely built by Russians, dubbed Telekopye by security researchers, is designed to enable fraudsters to concentrate on honing their social engineering skills without having to worry about the technical side of online scamming.
See Also: 2024 APJ State of the Phish: Is Your Organisation Covered
Researchers at Eset discovered and named the tool Telekopye, which is a portmanteau of Telegram and "kopye" - the Russian word for spear. The tool appears to have been available since at least 2015.
"This toolkit is implemented as a Telegram bot that, when added to a Telegram group chat, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers," the researchers said.
Eset said the toolkit's users are primarily based in Russia, Ukraine and Uzbekistan, based on the language used in comments in the code, which markets the toolkit targets most, and information gleaned from Telekopye uploads to VirusTotal.
The toolkit is designed to allow scammers with minimal technical knowledge to engage in fraudulent activities, such as creating phishing websites and sending fraudulent emails and SMS messages. The main targets of this toolkit are online marketplaces popular in Russia, as well as those outside of Russia such as BlaBlaCar, eBay, JOFOGAS and Sbazar. Users dub victims "Mammoths," leading Eset to christen Telekopye customers "Neanderthals."
"We discovered the source code of a toolkit that helps scammers so much in their endeavors that they don't need to be particularly well versed in IT. Instead, they only need a silver tongue to persuade their victims," said Radek Jizba, a security researcher at Eset.
Eset has seen multiple versions of the toolkit in circulation - the latest in April. Some versions of Telekopye are capable of storing victim data such as payment card details or email addresses on the compromised system's disk.
Scammers who employ the tool would need to first gain victims' trust by posing as legitimate entities and then tricking them into visiting convincing phishing web pages they've created using predesigned Telekopye templates. These pages are used to collect sensitive information such as credit card details. Links to the phishing pages are typically sent to victims via SMS or email.
The researchers did not disclose how the scammers identify their victims, but they determined that the toolkit is only used once the scammers have gained a certain level of trust from their targets. Once victims share their card details on the phishing page, the scammers employ various techniques - including laundering cryptocurrency via cryptomixers - to hide the stolen money. Scammers haven't been seen transferring stolen funds directly to their own accounts. Instead, they use a shared Telekopye account controlled by the Telekopye administrator.
The toolkit tracks the success of each scammer by logging contributions to the shared account, essentially serving as a payment system. Scammers are paid by the Telekopye administrator, who deducts fees. The hierarchy of scammers using Telekopye is organized into different classes that have varying privileges and commission fees.