Telekopye is a malicious telegram bot that is used by cybercriminals to pull off phishing scams, capturing unsuspecting individuals to reveal sensitive personal information on a large scale. This bot makes the crafting of sophisticated phishing websites, emails, and SMS messages easy for scammers. These websites, emails, and SMSs mimic legal entities, misleading victims into a false sense of security.

Impact–

• Financial Losses: Phishing scams often trick victims into revealing their financial information, such as credit card numbers and bank account details. This information can then be used to make fraudulent transactions or steal money directly from victims’ accounts
• Data Breaches: When victims click on phishing links or download phishing documents, they may unintentionally provide hackers with personal information such as their names, addresses, Social Security numbers, and medical records. This information can subsequently be sold on the dark web or used to perform further criminal activities.
• Identity Theft: Identity theft occurs when cybercriminals use stolen personal information to open new accounts in victims’ names. This can lead to a variety of problems, including financial ruin, damaged credit, and difficulty obtaining employment or housing.

 

Chain of Attacks

• Reconnaissance: Cybercriminals gather information about their targets prior to attacking them. The use of social media, open-source intelligence, or even physical surveillance can be used to accomplish this.
• Crafting the lure: Phishing messages are designed to look like they are coming from a legitimate source, such as a bank, credit card company, or social media site. Malware may be attached to the message or the message may link to a fake website.
• Distribution: Phishing messages are distributed by cybercriminals to their targets. A text message, an email, a post on social media, or even a phone call may be used to achieve this.
• Exploitation: Victims are taken to a fake website or infected with malware when they click on the phishing link or open the attachment. Cybercriminals can access data by stealing their personal information or taking control of their devices.

Vulnerability Overview-

The cybercriminals behind this operation are referred to as Neanderthals by ESET which is a metaphorical way to convey that their actions are primitive, lack sophistication, or are unethical. On the other hand, cybercriminals refer to their victims as Mammoths to portray them as large, slow, and easy targets. ESET security researcher Radek Jizba said in a news analysis that Telekopye can craft phishing websites, emails, SMS messages, and more.

The Neanderthals are exploiting a variety of vulnerabilities in their phishing scams, including:

Trust: The scammers are building trust with their victims by being friendly and helpful. This makes it more likely that the victims will click on the phishing links or enter their personal information on the fake websites.

Fear: The scammers are using fear to motivate their victims. For example, they may send emails that threaten to close the victims’ accounts if they do not take action.

Greed: The scammers are offering their victims something of value in exchange for their personal information. For example, they may promise to give the victims access to exclusive content or to enter them into a sweepstakes.

Vulnerabilities Type- Phishing Attacks

Affected Product- Telegram

IoCs –

1. Samples (Detected as PHP/HackTool.Telekopye.A by ESET):

• SHA-1: 26727D5FCEEF79DE2401CA0C9B2974CD99226DCB

Filename: scam.php

• SHA-1: 285E0573EF667C6FB7AEB1608BA1AF9E2C86B452

Filename: tinkoff.php

• SHA-1: 8A3CA9EFA2631435016A4F38FF153E52C647146E

Filename: 600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a.php

 

2. Network Indicators:

• Domain: id23352352[.]ru
• Domain: id8092[.]ru
• Domain: id2770[.]ru
• Domain: id83792[.]ru
• Domain: id39103[.]ru
• Domain: 2cdx[.]site
• Domain: 3inf[.]site
• Domain: id7423[.]ru
• Domain: id2918[.]site
• Domain: id0391[.]ru
• Domain: id66410[.]ru
• Domain: id82567[.]ru

The scams have caused a lot of financial losses for victims. The victims have also suffered emotional distress and reputational damage. In addition, the scams have damaged the reputation of online marketplaces.

Remediation Steps:

• Keep an eye on Telegram channels or groups associated with Telekopye for potential updates, announcements, or changes in tactics.
• Sign up for threat intelligence feeds like SRC-Ti, which provide updates on known harmful actions, including Telekopye advances.
• Analyse language patterns used in phishing messages to detect anomalies, mistakes, or discrepancies that might indicate a Telekopye-driven scam.
• Follow the advice to insist on in-person money and goods exchange, especially for second-hand goods on online marketplaces, to avoid falling victim to Telekopye scams.
• Keep informed about the latest findings and updates from ESET Research and other cybersecurity sources for any new developments related to Telekopye.