In a recent blog post published by ESET researcher Radek Jizba, it was revealed that Russian-language Telegram users are utilizing a bot called “Telekopye” to carry out automated phishing campaigns against users of popular ecommerce sites such as eBay. These cybercriminals have established a corporate-like structure within the Telegram community, complete with administrators and workers, to spread the wealth generated from these scams.
Telekopye, which has been in operation for eight years and is still actively used and updated, functions as a phishing toolkit designed as a Telegram bot. It possesses the capability to write emails and SMS messages, create prefabricated phishing pages, and allow users to manipulate images. This has attracted a community of cybercriminals with limited technical expertise, enabling them to scam online shoppers and sellers not only in Russia but also in various countries around the world.
The success of Telekopye can be attributed to its ability to target users of popular Russian ecommerce websites such as YULA and OLX, which receive billions of page views and millions of transactions monthly. Additionally, the bot is also used in conjunction with ecommerce sites popular in Europe and other Western countries, including BlaBlaCar and eBay.
There are two main schemes employed in these phishing attacks, according to Jizba. The first, known as Type 1.0, targets online shoppers, or “mammoths,” as they are referred to within the Telekopye community. This scheme involves persuading victims through emails and SMS messages that the scammer is legitimate. Once victims click on the phishing link, they are directed to a mock ecommerce page where they are prompted to enter their credit or debit card details to purchase an item they will never receive. The scammers then launder the money using cryptocurrencies, repeating the process.
Type 2.0 focuses on targeting sellers by tricking them into believing they need to pay a deposit. Scammers bait sellers with messages like “Your item has been paid for. Get money from:,” followed by a phishing link.
Interestingly, the ill-gotten gains from successful scams do not go straight into the attackers’ pockets. Instead, the Telekopye community operates under a corporate structure, with admins, moderators, good workers, and regular workers. Admins earn commissions ranging from 5% to 40% on each scam, and all roles and financial movements are meticulously tracked in shared documents.
Telekopye offers a variety of predefined templates for emails, texts, HTML phishing pages, forms, and even images of financial documents to automate the scamming process. Scammers are given a range of templates designed for specific countries, such as Slovakia, Spain, England, and Australia, for their landing pages. While the final result may sometimes appear unconvincing, there are instances where the phishing pages closely resemble the real websites.
When scammers require images, they turn to Render Bot, a separate but related bot that removes key fields in photos and screenshots. This allows scammers to manipulate photos of invoices, cheques, or screenshots of legitimate applications. Render Bot supports several fonts to ensure the added text blends seamlessly with the original image.
Jizba advises potential victims to identify Telekopye scams by focusing on conversations with scammers rather than scrutinizing the carefully crafted automated texts and images. He suggests that scammers are most vulnerable when they have to deviate from their pre-determined scripts and engage in real conversation with their victims, often using a different language. This is where victims have the highest chance of spotting the scam.
As Telekopye continues to thrive and evolve, it poses a significant threat to online shoppers and sellers, not just in Russia but worldwide. Users should remain vigilant, exercise caution when interacting with unfamiliar individuals or websites, and report any suspicious activities to the relevant authorities.