Telekopye phishing page mimicking a legitimate booking platform
After the victim submits their payment card information, the scammers can use it for fraudulent transactions, leading to financial losses for the targeted user. This type of scamming operation has proven to be particularly successful during high-travel seasons, when users are more likely to be making bookings and may be less vigilant due to the excitement of upcoming trips.
As scammers continue to adapt and evolve their tactics, it is essential for users of online platforms to remain vigilant and cautious when interacting with messages, links, or forms requesting sensitive information. By staying informed about the latest scams and taking proactive measures to protect personal data, users can reduce the risk of falling victim to cybercriminal schemes.
Otherwise, insist on receiving payment through secure channels like PayPal or other trusted payment methods.
Accommodation-themed scams
Always double-check the URL of the website you are using to book accommodations. Look for any suspicious or misspelled domains that may indicate a fake website.
Verify the legitimacy of the website by doing a quick search online for reviews or feedback from other users. If there are no reviews or if the website has a bad reputation, proceed with caution.
Before entering any personal or payment information, make sure the website is secure by checking for the padlock symbol in the address bar and ensuring the URL starts with “https://”.
If you receive any unusual requests or demands from the accommodation provider, such as asking for payment outside of the platform or requesting additional personal information, be wary and consider cancelling the booking.
Report any suspicious activity or websites to the platform or authorities to help prevent others from falling victim to similar scams.
By staying vigilant and informed about these common tactics used by Neanderthals, you can protect yourself and others from falling prey to their scams. Remember to always be cautious when dealing with unfamiliar individuals or websites, and don’t hesitate to seek help or report suspicious behavior to prevent further harm.
If you do not wish to utilize the delivery options provided by the buyer, take control of managing them yourself.
Prior to clicking on any links sent by the individual you are conversing with, carefully examine the URL, content, and certificate properties of the website to ensure its legitimacy.
Accommodation booking scams
Always verify that you are on the official website or app of the platform before entering any information related to your booking. Redirecting to an external URL for booking and payment could be a sign of a potential scam.
Contacting accommodation providers directly may not guarantee the legitimacy of payment requests in cases of compromised accounts. If unsure, reach out to the platform’s official customer support (Booking.com, Airbnb) or report security concerns (Booking.com, Airbnb).
For account protection while booking accommodation or renting out, ensure the use of strong passwords and enable two-factor authentication whenever possible.
Conclusion
Our investigation into Telekopye activities has provided us with valuable insights into these scams, including understanding the technical aspects, the business operations of Telekopye groups, and insights into Neanderthals themselves.
We have outlined the various strategies employed by these groups to maximize their financial gains, such as broadening their victim pool, exploiting seasonal opportunities, and enhancing their tools and operations. Particularly, the targeting of accommodation booking platforms by Neanderthals represents a more sophisticated approach.
While platforms targeted by Telekopye are aware of these scams and have implemented countermeasures, users are advised to remain cautious due to the prevalence and continuous evolution of these scams.
For inquiries regarding our research on WeLiveSecurity, please reach out to us at threatintel@eset.com.
ESET Research offers private APT intelligence reports and data feeds. For more information on this service, visit the ESET Threat Intelligence page.
IoCs
Files
SHA-1
Filename
Detection
Description
E815A879F7F30FB492D4043F0F8C67584B869F32
scam.php
PHP/HackTool.Telekopye.B
Telekopye bot.
378699D285325E905375AF33FDEB3276D479A0E2
scam.php
PHP/HackTool.Telekopye.B
Telekopye bot.
242CE4AF01E24DB054077BCE3C86494D0284B781
123.php
PHP/HackTool.Telekopye.A
Telekopye bot.
9D1EE6043A8B6D81C328C3B84C94D7DCB8611262
mell.php
PHP/HackTool.Telekopye.B
Telekopye bot.
B0189F20983A891D0B9BEA2F77B64CC5A15E364B
neddoss.php
PHP/HackTool.Telekopye.A
Telekopye bot.
E39A30AD22C327BBBD2B02D73B1BC8CDD3E999EA
nscode.php
PHP/HackTool.Telekopye.A
Telekopye bot.
285E0573EF667C6FB7AEB1608BA1AF9E2C86B452
tinkoff.php
PHP/HackTool.Telekopye.A
Telekopye bot.
Network
IP
Domain
Hosting provider
First seen
Details
N/A
3-dsecurepay[.]com
Cloudflare, Inc.
2024-05-30
Telekopye phishing domain.
N/A
approveine[.]com
Cloudflare, Inc.
2024-06-28
Telekopye phishing domain.
N/A
audittravelerbookdetails[.]com
Cloudflare, Inc.
2024-06-01
Telekopye phishing domain.
N/A
btsdostavka-uz[.]ru
TIMEWEB-RU
2024-01-02
Telekopye phishing domain.
N/A
burdchoureserdoc[.]com
Cloudflare, Inc.
2024-05-31
Telekopye phishing domain.
N/A
check-629807-id[.]top
Cloudflare, Inc.
2024-05-30
Telekopye phishing domain.
N/A
contact-click2399[.]com
Cloudflare, Inc.
2024-05-26
Telekopye phishing domain.
N/A
contact-click7773[.]com
Cloudflare, Inc.
2024-05-30
Telekopye phishing domain.
N/A
get3ds-safe[.]info
Cloudflare, Inc.
2024-05-31
Telekopye phishing domain.
N/A
hostelguest[.]com
Cloudflare, Inc.
2024-05-30
Telekopye phishing domain.
N/A
order-9362[.]click
Cloudflare, Inc.
2024-05-29
Telekopye phishing domain.
N/A
shiptakes[.]info
Cloudflare, Inc.
2024-05-29
Telekopye phishing domain.
N/A
quickroombook[.]com
Cloudflare, Inc.
2024-06-02
Telekopye phishing domain.
N/A
validation-confi[.]info
Cloudflare, Inc.
2024-05-29
Telekopye phishing domain.
MITRE ATT&CK techniques
This table was created using version 15 of the MITRE ATT&CK framework.