Press Center

ESET researchers have analyzed how aspiring new attackers join Telekopye groups, thanks to ads in underground forums, and present a detailed view of the whole scamming operation from the attackers' perspective. The research contains analyses of the scam scenarios and what each Neanderthal has to do in order to be successful. (ESET Research refers to the scammers using Telekopye as Neanderthals.) Telekopye’s capabilities include creating phishing websites, sending phishing SMS and emails, and creating fake screenshots. According to ESET telemetry, this tool is still in use and in active development. The toolkit is implemented as a Telegram bot. BRATISLAVA, PRAGUE — November 23, 2023 — ESET researchers have recently discovered and analyzed Telekopye, a toolkit that helps less tech-savvy people pull off online scams more easily, with the first part of the research being published in August. In this second part, ESET Research focuses on scammers’ internal onboarding process, a detailed view of the whole scamming operation, and analysis of the scam scenarios. The capabilities of Telekopye include creating phishing websites, sending phishing SMS texts and emails, and creating fake screenshots. According to ESET telemetry, this tool is still in use and in active development,and is implemented as a Telegram bot. Victims of this scam operation are called Mammoths by the scammers. For the sake of clarity, and following the same logic, ESET refers in its findings to the scammers using Telekopye as Neanderthals. Telekopye groups recruit new Neanderthals via advertisements across many different channels, including underground forums. These advertisements clearly state the purpose: to scam online marketplace users. Aspiring Neanderthals are required to fill out an application, answering basic questions like what experience they have in this line of “work.” If approved by existing group members with sufficiently high rank, the new Neanderthals can start using Telekopye to its full potential. There are three main scam scenarios: seller, buyer, and refund. In the seller scam, attackers pose as sellers and try to lure unsuspecting victims into buying some nonexistent item. When the victim shows interest in the item, the “seller“ persuades him them to pay online rather than in person and provides a link to a phishing website posing as a legitimate payment site. Unlike the legitimate web page, though, this page asks for an online banking login, credit card details (sometimes including balance), or other sensitive information. The phishing website automatically steals it. In the buyer scam, attackers pose as buyers, researching victims to target. They show interest in an item and claim they’ve already paid via the provided platform. Then they send the victim an email or SMS message (created via Telekopye) with a link to a carefully crafted phishing website, claiming that the victim needs to click this link in order to receive their money from the platform. The rest of the scenario is very similar to the “seller“ scam. In the refund scenario, attackers create a situation where the victim is expecting a refund and subsequently send them a phishing email with a link to the phishing website, once again serving the same purpose. “In almost every group of Neanderthals, we can find references to manuals with online market research from which Neanderthals draw their strategies and conclusions,” says ESET researcher Radek Jizba, who investigated Telekopye. “For example, during the buyer scam scenario, Neanderthals choose their targets based on the type of items they are selling. For instance, some groups avoid electronics completely. The price of the item is also important. Manuals recommend that Neanderthals, in the buyer scam scenario, pick items with a price between €9.50 to €290,” he adds. Additionally, attackers using Telekopye utilize web scrapers to quickly go through many online marketplace listings and pick a “perfect victim” who will most likely fall for the scam. Telekopye attackers believe that their groups are full of “rats” (for example, law enforcement or researchers). Thus, they religiously stick to the rules; mainly, no probing for information that could identify other members of the group. Breaking such rules may very well result in being banned. The golden rule is “Work more, talk less.” Even though the main targets of scammers are online markets popular in Russia, such as OLX and YULA, ESET has also observed targets that are not native to Russia, such as BlaBlaCar and eBay, and even others that have nothing in common with Russia, like Jófogás and Sbazar. For more information about how Telekopye attackers operate, check out the blogpost “Telekopye: Chamber of Neanderthal’s Secrets.” Make sure to follow ESET Research on Twitter (now known as X) for the latest news from ESET Research. About ESET ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg. About Version 2 Limited Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.