The new financially motivated group of attackers has been using a malicious bot in Telegram to carry out fraudulent activities. This group, known as “Telekopye,” has developed a set of tools that function as an automated tool for creating phishing web pages. These pages are designed to imitate legitimate sites and trick victims into entering their payment data. The Telekopye bot generates these phishing pages and sends links to potential victims, who the criminals refer to as “mammoths.”
According to ESET, the first versions of Telekopye appeared back in 2015, indicating that this tool has been actively developed and used for many years. The exact origin of the attackers, referred to as the “Neanderthals,” is unknown. However, it is evident that the hackers use the Russian language in the SMS messages they send to victims, and they primarily target popular Russian marketplaces.
The Telekopye group operates with a hierarchical structure, showcasing the high degree of organization within this criminal group:
- Administrators: These users have the highest privileges and can add phishing web pages and modify payment details.
- Moderators: They have the ability to control the user levels of other participants and approve new members. However, they do not have the authority to modify the tools used.
- Ordinary Workers: All participants start with this role and it represents a general role within the group.
- Good Workers: These employees have an increased role, higher payments, and lower commissions compared to ordinary workers.
- Blocked Users: These are individuals who have violated the project rules and are prohibited from using Telekopye.
The attack scheme employed by the Neanderthals involves gaining the trust of their targets, who they refer to as “mammoths.” Once trust is established, they send the victims a fake link, generated using Telekopye, via email, SMS, or social media messages. When the victims enter their payment data on the phishing page, the attackers use this information to steal their funds. The stolen funds are then laundered through cryptocurrency, with the Telekopye administration receiving a percentage from each successful attack.
A notable characteristic of this campaign is the centralized payment system utilized by the attackers. Instead of transferring the stolen funds to their personal accounts, the Neanderthals send them to a general account that is controlled by the Telekopye administrator. This enables the administrator to monitor the actions of each fraudster closely.
To protect against these types of attacks, it is recommended to use strong passwords, enable two-factor authentication