What Is The Telekopye Toolkit Scam On Telegram and How To Be Safe?

Whether it's electronics, clothes or groceries, online shoppers are always hunting for better deals. For this, people often turn to unconventional platforms that offer or post about unbelievable deals. Unfortunately, this habit is empowering scammers to dupe people. Scammers are using a Telekopye toolkit to dupe individuals with limited technical expertise, an August 2023 report by ESET revealed. The toolkit is implemented on Telegram, a popular messaging and information-sharing platform that has become popular for the use of bots that provide services. It helps scammers set up a Telegram bot that scams people.

What is the Telekopye toolkit?

Telekopye operates as a bot that helps scammers create phishing websites from predefined templates, then generate and send phishing emails and SMS, etc. The toolkit has been uploaded to a platform called VirusTotal multiple times, primarily from Russia and Ukraine. 

The toolkit offers a plethora of different functionalities that scammers can use to create QR codes, and fake screenshots and even store victim data, which usually includes card details or email addresses on a disk where the bot is run.

Several versions of the toolkit have been discovered by researchers, suggesting its continuous development. To identify the scammers, ESET has assigned them the name of “Neanderthals”.

Recruitment of Scammers

Research reveals that scammers are recruited via advertisements seen across different online channels, mainly in underground forums. Interested people need to just complete an application form and answer key questions about their previous experience in this kind of work. They then join a Telegram group where they are communicated the rules and manuals. The transaction logs are stored in a different channel. Experienced members approve recruits and all of them have relevant ranks.

Which websites do scammers target?

The Telekopye scam primarily targets Russian online marketplaces like YULA or OLX. However, the recent finding has indicated that non-Russian targets, including eBay, Sbazar, Jófogás, and BlaBlaCar are also being targeted.

How does the scam unfold?

There are three ways in which the scam unfolds. The first is the “Seller Scam” in which attackers pose as sellers and entice users into purchasing items that don’t exist. The scammers lure unsuspecting customers to make an advance online payment.

This is usually carried out through a fake phishing website link, which appears as a legitimate payment portal. Ultimately, the website steals the victim’s banking credentials or credit card details and transfers the data to the scammers along with stealing money.

The second type of scam is the “Buyer Scam” in which fraudsters pose as buyers. This type of scam involves targeting victims after comprehensive research. In this scam, the criminals pose as buyers claiming to have paid for a product of a seller. They also share a Telekopye Toolkit-created SMS or email containing a link to a phishing website that claims to have proof of the payment. When the victim clicks on the malicious link, he/she faces the same fate as the victims of the seller scam.

The third type of scam is the “Refund Scam” where the scammers pose as companies offering refunds to customers. The catch is, the refund is shared with customers who never bought anything from the company. Thus, the greedy victims who try to claim the non-existent refund are lured with a link to the fake website to get the amount. Upon clicking, they too end up risking/losing critical financial information or money. 

How to be safe?

People should avoid entertaining unexpected messages and links from unknown sources should be reported on Telegram. Personal information should never be shared with a Telegram bot and files should be downloaded only from trusted bots. It is advised to keep the Telegram app up to date to receive security updates regularly.