• Tue. Oct 10th, 2023

Telegram’s Mammoth Hunt: Telekopye Strikes

Avatar photo

ByEsme Greene

Sep 20, 2023
Telegram's Mammoth Hunt: Telekopye Strikes
Esme Greene
Latest posts by Esme Greene (see all)

A fresh group of cyber attackers has emerged, wielding a malicious bot on the Telegram platform to orchestrate fraudulent activities.

Named Telekopye (a blend of “Telegram” and “spear”), this toolkit operates as an automated instrument for crafting phishing web pages. It employs ready-made templates that replicate legitimate sites, luring victims into entering their payment details. The bot generates these counterfeit pages and sends links to potential victims, humorously referred to as “Mammoths” by the criminals.

First seen in 2015, as revealed by ESET, the Telekopye toolkit’s extended history indicates sustained development and usage across several years. While the identity of the attackers, dubbed “Neanderthals,” remains unknown, the hackers communicate in Russian through SMS messages to their victims. They specifically target popular Russian online marketplaces.

Sophisticated Hierarchy: The Inner Workings of Telekopye and Their Mammoth Scam

The Telekopye group demonstrates a well-structured hierarchy, highlighting the organization’s sophistication:

  • Administrators wield the highest privileges, capable of adding phishing page templates and altering payout rates.
  • Moderators have the authority to manage other members and approve new ones but lack toolkit configuration privileges.
  • Rank-and-file workers are the entry-level position for new Neanderthals.
  • Good workers hold an elevated role, enjoying greater rewards and lower commissions.
  • Blocked users are prohibited due to likely project rule violations.

The attack unfolds as follows: Neanderthals gain the trust of Mammoths and then dispatch counterfeit Telekopye-generated links via email, SMS, or social media messages.

Once victims input payment details on the phishing page, their information is exploited to siphon funds, subsequently laundered through cryptocurrency. The Telekopye administrators receive a share of each successful attack’s gains.

A key feature is the centralized payment system. Rather than routing stolen funds to individual accounts, Neanderthals funnel them to a communal account overseen by the Telekopye administrator. This setup enables close monitoring of each fraudster’s actions.

Protection strategies involve using robust passwords, enabling two-factor authentication (2FA), and deploying antivirus software. ESET also advocates for insisting on face-to-face transactions for purchases and refraining from sending money to unknown parties.

Earlier, ESET experts discovered the Spacecolon malicious toolkit, disseminating variants of the Scarab ransomware globally. This toolkit infiltrates systems through web server vulnerabilities or by exploiting RDP (Remote Desktop Protocol) credentials using brute force.

Additionally, in August, the ESET team exposed a large-scale phishing campaign targeting users of the widely-used email service Zimbra. This campaign reached hundreds of organizations across more than 10 countries. Despite its simplicity, the attackers managed to distribute targeted emails masquerading as Zimbra notifications, leading users to malicious attachments and phishing login pages.

Avatar photo

Esme Greene

Esme brings a wealth of knowledge and experience to our website, specializing in all aspects of DarkWeb security. With a deep understanding of the intricate workings of the DarkWeb and its associated cybersecurity risks, Esme curates insightful and informative content for our readers.