Russian-language Telegram users are using a bot to automate end-to-end phishing campaigns against users of popular ecommerce sites like eBay, and spreading the resulting wealth in a corporate-like structure with administrators and “workers.”
In a blog post published today, ESET researcher Radek Jizba described “Telekopye,” a phishing toolkit designed as a Telegram bot. Telekopye can write emails and SMS messages, generate prefabricated phishing pages, and enable users to manipulate images. It has attracted a community of cybercriminals with little to no technical capability, enabling them to scam online shoppers and sellers primarily in Russia, but also countries around the globe.
Telekopye’s success is best evidenced by the fact that it’s already eight years old, and still actively used and updated today.
How Telekopye Scams Work
Scammers primarily target users of popular Russian ecommerce websites, like YULA and OLX, the latter of which receives more than 10 billion page views and millions of transactions monthly. However, Telekopye is also used in association with ecommerce sites popular around Europe and the broader West, including BlaBlaCar and eBay.
“There are two main schemes for these phishing attacks,” Jizba says. The first — referred to within the group as Type 1.0 — targets online shoppers. Or, as the Telekopye community refers to them, “mammoths.”
It works like any old phishing attack you’ve seen before: a victim is singled out, and persuaded of the legitimacy of the scammer through emails and SMS messages. If the victim pursues a phishing link they’ll reach a mock ecommerce page, with the opportunity to enter their credit or debit card details for purchase of an item they’ll never end up receiving. The scammer launders the money through cryptocurrencies, rinse and repeat.
Type 2.0 involves targeting the seller by convincing them that they have to pay some sort of deposit. A seller will be baited by, for example, a text that reads “Your item has been paid for. Get money from:,” followed by the phishing link.
Successful hauls don’t go straight into the attacker’s pocket. Instead, the Telekopye community operates in a corporate-like structure, with a hierarchy of admins, moderators, good workers, and regular workers. Admins earn 5-40% commissions on each scam, and roles and money movements are tracked in shared documents.
How Telekopye Automation Works
Telekopye offers a set of predefined templates for emails and texts, HTML phishing pages, forms, and even images of financial documents.
For landing pages, for example, scammers have to do no work at all. They’re given a series of templates targeting websites in specific countries — Slovakia, Spain, England, Australia, and more — and while the final result can sometimes be inelegant, other times it does look like the real thing.
When images will come in handy, scammers turn to Render Bot, a separate but related bot that removes key fields in photos and screenshots. A scammer might tweak, for example, a photo of an invoice or cheque, or a screenshot of a page associated with a legitimate application. Several fonts are supported in order to better blend the added text with the original image.
The best way to identify a Telekopye scam, Jizba says, is not to try to pick out tiny discrepancies in these carefully orchestrated, automated texts and images. Rather, it is when scammers have to go off-book that they’re most vulnerable.
“Outputs of Telekopye look convincing,” he says. “Administrators of Telekopye spend a great deal of time on making their phishing templates as legitimate-looking as possible. The main weakness lies in sounding legitimate in real conversation with the victim, often speaking in [a] different language. This is usually where the victim has the highest chance to spot the scam.”