Cyber Security Threat Summary:
A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear. This tool seems to have been accessible since at least 2015. Operating as a Telegram bot, Telekopye joins Telegram group chats and presents user-friendly menus with clickable buttons, catering to numerous scammers. The researchers note that the toolkit's usage is predominantly seen in Russia, Ukraine, and Uzbekistan. This conclusion is drawn from language found in code comments, the toolkit's preferred target markets, and data acquired from Telekopye uploads to VirusTotal.

“The toolkit is designed to allow scammers with minimal technical knowledge to engage in fraudulent activities, such as create phishing websites, and sending fraudulent emails and SMS messages. The main targets of this toolkit are online marketplaces popular in Russia, as well as those outside of Russia such as BlaBlaCar, eBay, JOFOGAS and Sbazar. Users dub victims "Mammoths," leading Eset to christen Telekopye customers "Neanderthals." "We discovered the source code of a toolkit that helps scammers so much in their endeavors that they don't need to be particularly well versed in IT, instead they only need a silver tongue to persuade their victims," said Radek Jizba, a security researcher at Eset. Eset has seen multiple versions of the toolkit in circulation, with the latest dating from April. Some versions of Telekopye are capable of storing victim data such as payment card details or email addresses on the compromised system's disk” (DataBreachToday, 2023).

Security Officer Comments:
Threat actors utilizing the tool must initially establish trust with victims by assuming the roles of legitimate entities, subsequently deceiving them into accessing convincing phishing webpages generated from pre-designed Telekopye templates. These webpages are employed to gather sensitive data, such as credit card particulars. The scammers usually distribute links to these deceptive sites via email or SMS.

Although the means by which scammers identify victims remains undisclosed, it has been deduced that the toolkit is deployed only after a certain level of trust has been established with the targets. Once victims divulge their credit card details on the phishing sites, the scammers employ diverse tactics, including using cryptocurrency mixers to obfuscate the stolen funds, ensuring they are not directly transferred to the scammers' personal accounts. Instead, a communal Telekopye account overseen by the administrator is used.

This toolkit gauges each scammer's success by logging contributions to the shared account, essentially serving as a payment mechanism. Scammers are remunerated by the Telekopye administrator, who deducts fees accordingly. The hierarchy among the scammers utilizing Telekopye is structured into different tiers, each with varying privileges and commission rates.

Suggested Correction(s):
Researchers at ESET have published IOC’s associated with the toolkit:
https://www.welivesecurity.com/en/eset-research/telekopye-hunting-mammoths-using-telegram-bot/

Link(s):
https://www.databreachtoday.com/russian-toolkit-aims-to-make-online-scamming-easy-for-anyone-a-22919