Fraudster Users Call Victims ‘Mammoths,’ Leading Eset to Dub Them ‘Neanderthals’
A toolkit likely built by Russians, dubbed Telekopye by security researchers, is designed to enable fraudsters to concentrate on honing their social engineering without having to worry about the technical side of online scamming.
Researchers at Eset discovered and named the tool Telekopye, which is a portmanteau of Telegram and “kopye” – the Russian word for spear. The tool appears to have been available since at least 2015.
“This toolkit is implemented as a Telegram bot that, when added to a Telegram group chat, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers,” researchers say.
Eset says the toolkit’s users are primarily based in Russia, Ukraine and Uzbekistan, based on the language used in comments in the code, which markets get targeted most using the toolkit, as well as information gleaned from Telekopye uploads to VirusTotal.
The toolkit is designed to allow scammers with minimal technical knowledge to engage in fraudulent activities, such as create phishing websites, and sending fraudulent emails and SMS messages. The main targets of this toolkit are online marketplaces popular in Russia, as well as those outside of Russia such as BlaBlaCar, eBay, JOFOGAS and Sbazar. Users dub victims “Mammoths,” leading Eset to christen Telekopye customers “Neanderthals.”
“We discovered the source code of a toolkit that helps scammers so much in their endeavors that they don’t need to be particularly well versed in IT, instead they only need a silver tongue to persuade their victims,” said Radek Jizba, a security researcher at Eset.
Eset has seen multiple versions of the toolkit in circulation, with the latest dating from April. Some versions of Telekopye are capable of storing victim data such as payment card details or email addresses on the compromised system’s disk.
Scammers who employ the tool would need to first gain victims’ trust by posing as legitimate entities and then tricking them into visiting convincing phishing web pages they’ve created using predesigned Telekopye templates. These pages get used to collect sensitive information such as credit card details. Links to the phishing pages will typically get sent to victims via SMS or email.
Researchers did not disclose how the scammers identify their victims, but determined that the toolkit is only used once the scammers have gained a certain level of trust from their targets. Once victims share their card details on the phishing page, the scammers employ various techniques – including laundering cryptocurrency via crypto mixers – to hide the stolen money. Scammers haven’t been seen transferring stolen funds directly to their own accounts. Instead, they use a shared Telekopye account controlled by the Telekopye administrator.
The toolkit tracks the success of each scammer by logging contributions to the shared account, essentially serving as a payment system. Scammers are paid by the Telekopye administrator, who deducts fees. The hierarchy of scammers using Telekopye is organized into different classes with varying privileges and commission fees.