Award-winning news, views, and insight from the ESET security community
Award-winning news, views, and insight from the ESET security community
ESET Research
Analysis of Telegram bot that helps cybercriminals scam people on online marketplaces
Radek Jizba
24 Aug 2023 • , 18 min. read
More and more people nowadays prefer to buy goods online. And why not? It’s convenient, goods will be delivered to your doorstep, and if you choose one of many online marketplaces, it’s even possible to save some money. Sadly, scammers abuse this, targeting these services and their customers for the scammer’s benefit. They can create a listing for goods they don’t own or don’t intend to sell. Once the victim pays, they seemingly disappear into the ether.
Recently we found the source code of a toolkit that helps scammers so much in their endeavors that they don’t need to be particularly well-versed in IT, but only need a silver tongue to persuade their victims. This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once. In this blogpost we will focus on toolkit analysis and features, and on the structure of the group(s) that use it. We have named this toolkit Telekopye.
This blog post is the first of a two-part series where we take a closer look at Telekopye and show some of the key features that are very helpful to scammers. In the second part, we will focus more on group operations.
Key points of this blogpost
We devised the name Telekopye as a portmanteau of Telegram and kopye (копье), the Russian word for spear, due to the use of highly targeted (aka spear-) phishing. Victims of this scam operation are called Mammoths by the scammers (see Figure 1) and several leads point to Russia as the country of origin of the toolkit’s authors and users. For the sake of clarity, and following the same logic, we will refer to the scammers using Telekopye as Neanderthals.
Figure 1. One of the memes (Mammoth lost) from a group conversation posted by Neanderthals
Telekopye was uploaded to VirusTotal multiple times, primarily from Russia, Ukraine, and Uzbekistan, from where Neanderthals usually operate based on the language used in comments in the code (we have added machine translations to English in brackets in various images in this blogpost) and the majority of targeted markets. Even though the main targets of Neanderthals are online markets popular in Russia, like OLX and YULA, we observed that their targets are also online markets that are not native to Russia, like BlaBlaCar or eBay, and even others that have nothing in common with Russia, like JOFOGAS and Sbazar. Just to illustrate how big some of these marketplaces are, the OLX platform had, according to Fortune, 11 billion page views and 8.5 million transactions per month in 2014.
We were able to collect several versions of Telekopye, suggesting continuous development. All of these versions are used to create phishing web pages, and send phishing email and SMS messages. In addition, some versions of Telekopye can store victim data (usually card details or email addresses) on disk where the bot is run. Telekopye is very versatile but does not contain any chatbot AI functionality. Hence, it doesn’t actually perform the scams; it only eases the generation of content used in such scams. In July 2023, we detected new domains that fit the modus operandi of Telekopye operators, so they are still active. The latest version of Telekopye we have been able to gather was from April 11th, 2022. We assess that Telekopye has been in use since at least 2015 and, based on snippets of conversation between Neanderthals, that different scammer groups are using it.
Thanks to human nature, scamming in online marketplaces seems to be very easy. It usually comes down to several key parts of the scam, as seen in Figure 2, that Neanderthals follow. First, Neanderthals find their victims (Mammoths). Then they try to earn their trust and persuade them that they are legitimate (why this is needed we will discuss in part 2). When Neanderthals think that a Mammoth sufficiently trusts them, they use Telekopye to create a phishing web page from a premade template and send the URL to the Mammoth (the URL can also be sent via SMS or email). After the mammoth submits card details via this page, the Neanderthals use these card details to steal money from the Mammoth’s credit/debit card, while hiding the money using several different techniques such as laundering it through cryptocurrency. Based on several conversation snippets, we assess that some crypto mixers are involved. There is a missing link between when money is scammed from the Mammoth and the payout to the Neanderthals, which is usually in cryptocurrency.
Figure 2. Overview of the Neanderthals’ scam
Telekopye has several different functionalities that Neanderthals can use to their full extent. These functionalities include sending phishing emails, generating phishing web pages, sending SMS messages, creating QR codes, and creating phishing screenshots. In the following sections, we will focus on the most useful parts of Telekopye for the average Neanderthal.
Every Telegram group using Telekopye consists of one or more Neanderthals that operate simultaneously and independently. Functionality is offered through buttons, likely to make scamming easier for Neanderthals.
Figure 3 shows one of the menus of Telekopye in a working Telegram group. Particularly noteworthy are the buttons “My ads”, showing all opened listings (ongoing scam advertisements) each Neanderthal has, and “My profile”, allowing Neanderthals to see their profile information on this platform, such as the number of scams pulled off, amount of money ready for next payout, etc.
Figure 3. Example of Telekopye operator interface in a Telegram group
The core feature of Telekopye is that it creates phishing web pages from predefined HTML templates on demand. A Neanderthal needs to specify the amount of money, product name and, based on the template, additional information like location to which the product will be sent, picture, weight, and buyer’s name. Then Telekopye takes all this information and creates a phishing web page. These phishing web pages are designed to mimic different payment/bank login sites, credit/debit card payment gateways, or simply payment pages of different websites.
To make the phishing website creation process easier, these website templates are organized by countries they target. Figure 4 shows a simple creation menu where some templates are sorted according to different countries. The only outlier is BlaBlaCar for country-independent car-sharing services.
Figure 4. Creation menu for different phishing pages. Notice the Swedish flag is incorrectly associated with Switzerland in the top, right corner.
Figure 5 shows one such phishing web page, likely not fully perfected yet.
Figure 5. Filled in uncompleted phishing website template (machine translations in brackets)
The finished product is seen in Figure 6, an eBay web page look-alike that is almost unrecognizable from the original (or at least looks like something one would expect from the legitimate website). By clicking the Receive %amount2% EUR button, a Mammoth is shown a fake credit/debit card gateway.
Figure 6. Finished template for phishing web page impersonating eBay
These phishing domains are not easy to spot. Usually, Neanderthals register a domain and then create subdomains for each targeted marketplace in such a way that the final URL starts with the expected brand name. In Table 1 notice that only one domain – olx.id7423[.]ru – is used to target the popular marketplace OLX. An example of a legitimate domain for the OLX marketplace is olx.ua. In short, they usually use .ru as their top-level domains and move second-level domains to the third-level domain’s place.
Table 1. Examples of several domains used for phishing
Service name (RU)
Service name
Phishing domain
Legitimate domain
Авито
Avito
avito.id7423[.]ru
avito.ru
Юла
Youla
youla.id7423[.]ru
youla.ru
Боксберри
Boxberry
boxberry.id7423[.]ru
boxberry.ru
Сдек
Cdek
cdek.id7423[.]ru
cdek.ru
Авито Аренда
Avito-rent
avito-rent.id7423[.]ru
avito.ru
OLX KZ
OLX
olx.id7423[.]ru
olx.kz
Куфар
Kufar
kufar.id7423[.]ru
kufar.by
OLX UZ
OLX UZ
olx.id7423[.]ru
olx.uz
OLX RO
OLX RO
olx.id7423[.]ru
olx.ro
OLX PL
OLX PL
olx.id7423[.]ru
olx.pl
OLX UA
OLX UA
olx.id7423[.]ru
olx.ua
СБАЗАР
Sbazar
sbazar.id7423[.]ru
sbazar.cz
IZI ua
IZI ua
izi.id7423[.]ru
izi.ru
OLX BG
OLX BG
olx.id7423[.]ru
olx.bg
Neanderthals do not transfer money stolen from Mammoths to their own accounts. Instead, all the Neanderthals use a shared Telekopye account controlled by the Telekopye administrator. Telekopye keeps track of how successful each Neanderthal is by logging associated contributions to that shared account – either in a simple text file or a SQL database.
As a consequence, Neanderthals get paid by the Telekopye administrator. Payment is split into three parts:
1. Commission to the Telekopye administrator.
2. Commission to recommender (recommendation system is discussed later in the blog post).
3. Actual payout.
The commission to the Telekopye administrator is 5–40%, depending on the Telekopye version and Neanderthal role (roles are also discussed later in the blog post).
Once a Neanderthal becomes eligible for a payout, he asks Telekopye for one. Telekopye checks the Neanderthal’s balance, final request is approved by the Telekopye administrator and, finally, funds are transferred to the Neanderthal’s cryptocurrency wallet. In some Telekopye implementations, the first step, asking for a payout, is automated and the negotiation is initiated whenever a Neanderthal reaches a certain threshold of stolen money from successfully pulled off scams (e.g., 500 RUB). The process of the manual payout request is illustrated in Figure 7 and the associated part of the Telekopye source code in Figure 8.
Figure 7. Payout diagram
Figure 8. Code that is executed whenever a Neanderthal wants to withdraw funds
Telekopye keeps logs of processed payouts in a separate Telegram channel. A Neanderthal who is paid also receives a link to this channel, probably to be able to verify that the transaction is logged. Figure 9 shows an example of such a logs channel.
Figure 9. Example of payout logs in a Telegram channel
The Telekopye administrator does not transfer the money through Telekopye itself. Instead, the admin uses either a tool called “BTC Exchange bot”, likely an independent Telegram bot, or transfers the money manually. However, we have observed increasing integration of payout-related features into Telekopye, so this may change in the future.
Neanderthals can instruct Telekopye to create and send email messages. The sender is a predefined email account shared between all the Neanderthals. These email accounts are typically associated with the phishing domains set up by Neanderthals. Figure 10 shows the code to spoof the email headers From and Reply-To so that the email messages appear more legitimate.
Figure 10. Code to craft phishing emails with a fake URL and spoofed sender address
Figure 11 shows one of many templates used to create phishing email bodies. No additional information has been given, so default values are shown, instead of user-defined text, for %title% and %amount%. A malicious URL is hidden behind the “Go to payment” button.
Figure 11. Email template that imitates a simple checkout email
Besides phishing emails, Telekopye allows Neanderthals to create and send SMS messages in a similar manner. Figure 12 illustrates the piece of code responsible for creating and sending such messages.
Figure 12. Part of the code to create SMS messages using the online service [legitimate] smscab.ru
Some implementations of Telekopye even have predefined SMS texts in different languages. All SMS templates say more or less the same thing, for example, “Your item has been paid for. To receive funds, fill out the form: <malicious_link>”. Examples of several SMS templates are shown in Figure 13, where original Russian templates are shown.How this SMS looks when a Mammoth receives it can be seen in Figure 14.
Figure 13. Telekopye SMS template texts in Russian
Figure 14. Example of an SMS created with a template text in Czech and received without a malicious link
Telekopye relies heavily on online services such as smscab.ru or smshub.org to send SMS messages. We have analyzed an older variant, where Telekopye used one hardcoded phone number shared among all Neanderthals. However, likely because blocking one phone number would result in blocking all Neanderthals’ messages, this feature was discontinued.
In this section, we describe how simple it is for Neanderthals using Telekopye to create convincing images and screenshots. Some versions of Telekopye have a component called Render bot. Although Render bot could be classified as a standalone bot, we will handle it as part of Telekopye.
When Render bot is added to a Telegram chat, we are greeted with the initial message seen in Figure 15.
Figure 15. The initial message from Render bot
This gives us good insight into how this part of Telekopye works. We can classify the uses of Render bot into two categories. First, it can be used to mangle images so that they are not easy to cross-reference. Second, it can create fake images that are meant to look like legitimate screenshots. In this section, we will focus first on the creation of these fake screenshots, a feature similar to creating phishing websites.
Unlike fake web pages that are generated from HTML templates, the base for fake screenshots is a JPG image with some key parts removed. These parts include the supposed paid price, debit/credit card number, title, name, etc. This transformation is shown in Figure 16, where there is a side-by-side comparison of a plain template and a filled template. Because these are images, there are no interactive buttons, unlike the email and phishing web page counterparts.
Figure 16. Generated fake screenshot (template on the left, template filled with sample text on the right)
There is a high emphasis on making the inserted text fit as well as possible, so Telekopye supports several different fonts. Just as previously, all behavior is hardcoded and no AI is used. We found nine templates for Sberbank, Avito, Youla, Qiwi, and a few other services.
From the Neanderthals’ perspective, creating these screenshots is no different from creating phishing web pages. A Neanderthal only needs to supply a few bits of information, and Telekopye creates a fake screenshot/image from them.
In Render bot folders it is also possible to see one of these templates in the process of creation. Figure 17 shows a photo of an invoice for a parcel, with numbered fields. Developers of Telekopye erase all fields with numbers next to them and try to fit their own font style and font size in them. When they are satisfied with how the final product looks, they add it to the bot for other Neanderthals to use as a new template.
Figure 17. Fake check in progress of creation
Another no less important functionality of this part of Telekopye is image manipulation. From the code and its comments, it is possible to gather that it is able to change images of advertised goods so that search engines cannot cross-reference them. We assume that if the image was found on an online marketplace, AI antispam protection would flag it as malicious. This transformation is very simple and consists of a vertical flip of the image and a small change in contrast.
Thanks to content from Telekopye source files, we assess that the developers are trying to experiment with different types/variations of the scam. For example, in the code, we see QR code generation functionality (Figure 18). This might mean one of two things. Either it is part of the payout process or they are trying to make it a new trick for scamming. A probable reason is that Mammoths don’t think twice when paying via a QR code. So we estimate that there is going to be a small increase in scams using these kinds of tricks.
Figure 18. Code that generates QR codes
From Figure 15 it looks as if Render bot can create fake checks for Sberbank. But in reality, it can only create payment confirmations (Figure 19).
Figure 19. Payment confirmation template
Fully functioning fake check generation is only a question of time. It is possible to see fragments of work suggesting this is already being worked on. These fragments are mainly handwritten numbers that are probably going to be added as custom fonts.
Groups of scammers using Telekopye are organized into a hierarchy with least to most privileges in order as follows:
1. Administrators
2. Moderators
3. Good workers / Support bots
4. Workers
5. Blocked
We have observed some variants enriching this list with a few additions, but these five roles remain the basis. We focus on each role in more detail in the sections below.
Telekopye also employs a referral system. When a new Neanderthal wants to join the group, he needs to fill in an application (how much “industry” experience he has, who invited him, etc.). This application then needs to be accepted by Moderators or Administrators in order for the new Neanderthal to join.
A user with this role is not able to use any part of the Telekopye toolkit. Rules that are part of Telekopye source code suggest this is some sort of punishment for breaking them (Figure 20).
Figure 20. Rules of Telekopye chat group
This is the most common role that almost all new Neanderthals start with. With this role, Neanderthals are able to use every Telekopye feature, excluding moderation of the group. During payout, this role has the worst commission rates, as seen in Table 2.
Table 2. Example of payout rates
Role
Commission to
owner
Commission to recommender
Actual payout
Workers
33%
2%
65%
Good workers/Support bots
23%
2%
75%
This role is a direct upgrade of the Worker role. The only difference is that Neanderthals with this role don’t have to give such a large percentage of their payout to the platform owner.
To get this role, Neanderthals must prove their usefulness – pull off a number of scams or achieve a certain amount of stolen funds.
Sometimes it is possible to see that this role is reserved for support bots. We are not certain what these bots are.
Moderators can promote and demote other members and approve new members. They cannot modify Telekopye settings.
Administrators are the highest role in the group. They can use Telekopye to its full extent. On top of moderators’ capabilities, they can modify Telekopye settings – add phishing web page templates, change/add email addresses that the bot uses, and change payout rates, payout type, etc.
The easiest way to tell whether you are being targeted by a Neanderthal trying to steal your money is by looking at the language used. It can be the language used in conversation, email, or on the web page itself. Sadly, this is not foolproof, and it has been observed that some of these scam attempts have ironed out grammar and vocabulary mistakes.
Insist on in-person money and goods exchange whenever possible when dealing with secondhand goods on online marketplaces. Such trades are not protected by well-known institutions or services. These scams are only possible because Neanderthals pretend they already paid online/sent an item. Sadly, sometimes in-person delivery is not possible and in that case you need to be extra careful.
Avoid sending money unless you are certain where it will go. When you need to send money somewhere, check the web page for grammatical errors and graphical disproportions. If you are lucky, a template can have some inaccuracies. Also check the website certificate and look closely at the URL, which can be made to look like a real link.
Watch out for strong-arm arguments like “I’ll send money through service XYZ. Do you know how it works?”. Ask if another payment type is possible and especially if they are willing to accept payment from a service you are familiar with. This is not foolproof because scammers have multiple templates, but you might be able to recognize a fake template more easily when you use a payment method known to you.
Be extra careful when clicking on links in SMS messages or emails, even if they look as if they come from a reputable source. Neanderthals are no strangers to email spoofing. A good rule of thumb is to ask yourself whether you bought something that would make reputable sources send you emails like that. If you are unsure, visit the supposed service’s website directly (not using the link in the email/SMS) and ask. Most of these pages have customer support and they will happily give you a hand.
We discovered and analyzed Telekopye, a toolkit that helps less technical people pull off online scams more easily. We estimate that Telekopye was in use since at least 2015. We focused on one version, analyzing its main capabilities and uncovering how Telekopye works internally. These capabilities include creating phishing websites, sending phishing SMS and emails, and creating fake screenshots. We also described the hierarchy of groups using Telekopye. Thanks to our telemetry, we also found out that this tool is still in use and in active development. The second Telekopye blog post, which will be released later, uncovers the inner working of the scam groups.
The author would like to thank Ondřej Novotný for the initial discovery.
For any inquiries about our research published on WeLiveSecurity, please contact us at [email protected].
ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.
A comprehensive list of Indicators of Compromise and samples are available in our GitHub repository.
SHA-1 |
Filename |
Detection |
Description |
26727D5FCEEF79DE2401CA0C9B2974CD99226DCB |
scam.php |
PHP/HackTool.Telekopye.A |
Telekopye scam toolkit |
285E0573EF667C6FB7AEB1608BA1AF9E2C86B452 |
tinkoff.php |
PHP/HackTool.Telekopye.A |
Telekopye scam toolkit |
8A3CA9EFA2631435016A4F38FF153E52C647146E |
600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a.php |
PHP/HackTool.Telekopye.A |
Telekopye scam toolkit |
SHA-1
Filename
Detection
Description
26727D5FCEEF79DE2401CA0C9B2974CD99226DCB
scam.php
PHP/HackTool.Telekopye.A
Telekopye scam toolkit
285E0573EF667C6FB7AEB1608BA1AF9E2C86B452
tinkoff.php
PHP/HackTool.Telekopye.A
Telekopye scam toolkit
8A3CA9EFA2631435016A4F38FF153E52C647146E
600be5ab7f0513833336bec705ca9bcfd1150a2931e61a4752b8de4c0af7b03a.php
PHP/HackTool.Telekopye.A
Telekopye scam toolkit
IP
Domain
Hosting provider
First seen
Details
N/A
id23352352.ru
Cloudflare
2023-07-04
Domain that is used to test toolkit or scam victim.
N/A
id8092.ru
Cloudflare
2023-06-26
Domain that is used to test toolkit or scam victim.
N/A
id2770.ru
Cloudflare
2023-06-28
Domain that is used to test toolkit or scam victim.
N/A
id83792.ru
Cloudflare
2023-06-17
Domain that is used to test toolkit or scam victim.
N/A
id39103.ru
Cloudflare
2023-06-19
Domain that is used to test toolkit or scam victim.
N/A
2cdx.site
Cloudflare
2021-03-21
Domain that is used to test toolkit or scam victim.
N/A
3inf.site
Cloudflare
2021-03-12
Domain that is used to test toolkit or scam victim.
N/A
pay-sacure4ds.ru
Jino
2021-12-27
Domain that is used to test toolkit or scam victim.
N/A
id7423.ru
Cloudflare
2021-03-27
Domain that is used to test toolkit or scam victim.
N/A
id2918.site
Jino
2021-03-08
Domain that is used to test toolkit or scam victim.
N/A
formaa.ga
Zomro
2021-05-30
Domain that is used to test toolkit or scam victim.
N/A
id0391.ru
Cloudflare
2023-06-23
Domain that is used to test toolkit or scam victim.
N/A
id66410.ru
Cloudflare
2023-06-17
Domain that is used to test toolkit or scam victim.
N/A
id82567.ru
Cloudflare
2023-06-07
Domain that is used to test toolkit or scam victim.
This table was built using version 13 of the MITRE ATT&CK framework.
Tactic |
ID |
Name |
Description |
Reconnaissance |
Gather Victim Identity Information |
Telekopye is used to gather debit/credit card details, phone numbers, emails, etc. via phishing web pages. |
|
Resource Development |
Acquire Infrastructure: Domains |
Telekopye operators register their own domains. |
|
Establish Accounts |
Telekopye operators establish accounts on online marketplaces. |
||
Establish Accounts: Email Accounts |
Telekopye operators set up email addresses associated with the domains they register. |
||
Compromise Accounts: Email Accounts |
Telekopye operators use compromised email accounts to increase their stealthiness. |
||
Develop Capabilities: Malware |
Telekopye is custom malware. |
||
Initial Access |
Phishing: Spearphishing Link |
Telekopye sends links to phishing websites in emails or SMS messages. |
|
Collection |
Input Capture: Web Portal Capture |
Web pages created by Telekopye capture sensitive information and report it to operators. |
Tactic
ID
Name
Description
Reconnaissance
T1589
Gather Victim Identity Information
Telekopye is used to gather debit/credit card details, phone numbers, emails, etc. via phishing web pages.
Resource Development
T1583.001
Acquire Infrastructure: Domains
Telekopye operators register their own domains.
T1585
Establish Accounts
Telekopye operators establish accounts on online marketplaces.
T1585.002
Establish Accounts: Email Accounts
Telekopye operators set up email addresses associated with the domains they register.
T1586.002
Compromise Accounts: Email Accounts
Telekopye operators use compromised email accounts to increase their stealthiness.
T1587.001
Develop Capabilities: Malware
Telekopye is custom malware.
Initial Access
T1566.002
Phishing: Spearphishing Link
Telekopye sends links to phishing websites in emails or SMS messages.
Collection
T1056.003
Input Capture: Web Portal Capture
Web pages created by Telekopye capture sensitive information and report it to operators.
Sign up for our newsletters
ESET Research
Scarabs colon-izing vulnerable servers
ESET Research
Scarabs colon-izing vulnerable servers
ESET Research
Mass-spreading campaign targeting Zimbra users
ESET Research
Mass-spreading campaign targeting Zimbra users
ESET Research
MoustachedBouncer: Espionage against foreign diplomats in Belarus
ESET Research
MoustachedBouncer: Espionage against foreign diplomats in Belarus
ESET research
New Telegram-abusing Android RAT discovered in the wild
ESET research
Not-so-private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets
ESET research
LATAM financial cybercrime: Competitors-in-crime sharing TTPs
Award-winning news, views, and insight from the ESET security community