Telekopye transitions to targeting tourists via hotel booking scam

Telekopye phishing page mimicking a legitimate booking platform


Figure 2. Telekopye payment card information phishing form

After the victim submits their payment card information, the scammers can use it for fraudulent transactions, leading to financial losses for the targeted user. This type of scamming operation has proven to be particularly successful during high-travel seasons, when users are more likely to be making bookings and may be less vigilant due to the excitement of upcoming trips.

As scammers continue to adapt and evolve their tactics, it is essential for users of online platforms to remain vigilant and cautious when interacting with messages, links, or forms requesting sensitive information. By staying informed about the latest scams and taking proactive measures to protect personal data, users can reduce the risk of falling victim to cybercriminal schemes.

Otherwise, insist on receiving payment through secure channels like PayPal or other trusted payment methods.

Accommodation-themed scams

  • Always double-check the URL of the website you are using to book accommodations. Look for any suspicious or misspelled domains that may indicate a fake website.
  • Verify the legitimacy of the website by doing a quick search online for reviews or feedback from other users. If there are no reviews or if the website has a bad reputation, proceed with caution.
  • Before entering any personal or payment information, make sure the website is secure by checking for the padlock symbol in the address bar and ensuring the URL starts with “https://”.
  • If you receive any unusual requests or demands from the accommodation provider, such as asking for payment outside of the platform or requesting additional personal information, be wary and consider cancelling the booking.
  • Report any suspicious activity or websites to the platform or authorities to help prevent others from falling victim to similar scams.

By staying vigilant and informed about these common tactics used by Neanderthals, you can protect yourself and others from falling prey to their scams. Remember to always be cautious when dealing with unfamiliar individuals or websites, and don’t hesitate to seek help or report suspicious behavior to prevent further harm.

  • If you do not wish to utilize the delivery options provided by the buyer, take control of managing them yourself.
  • Prior to clicking on any links sent by the individual you are conversing with, carefully examine the URL, content, and certificate properties of the website to ensure its legitimacy.
  • Accommodation booking scams

    • Always verify that you are on the official website or app of the platform before entering any information related to your booking. Redirecting to an external URL for booking and payment could be a sign of a potential scam.
    • Contacting accommodation providers directly may not guarantee the legitimacy of payment requests in cases of compromised accounts. If unsure, reach out to the platform’s official customer support (Booking.com, Airbnb) or report security concerns (Booking.com, Airbnb).
    • For account protection while booking accommodation or renting out, ensure the use of strong passwords and enable two-factor authentication whenever possible.

    Conclusion

    Our investigation into Telekopye activities has provided us with valuable insights into these scams, including understanding the technical aspects, the business operations of Telekopye groups, and insights into Neanderthals themselves.

    We have outlined the various strategies employed by these groups to maximize their financial gains, such as broadening their victim pool, exploiting seasonal opportunities, and enhancing their tools and operations. Particularly, the targeting of accommodation booking platforms by Neanderthals represents a more sophisticated approach.

    While platforms targeted by Telekopye are aware of these scams and have implemented countermeasures, users are advised to remain cautious due to the prevalence and continuous evolution of these scams.

    For inquiries regarding our research on WeLiveSecurity, please reach out to us at threatintel@eset.com.

    ESET Research offers private APT intelligence reports and data feeds. For more information on this service, visit the ESET Threat Intelligence page.

    IoCs

    Files

    SHA-1  Filename  Detection  Description 
    E815A879F7F30FB492D4043F0F8C67584B869F32  scam.php  PHP/HackTool.Telekopye.B  Telekopye bot. 
    378699D285325E905375AF33FDEB3276D479A0E2  scam.php  PHP/HackTool.Telekopye.B  Telekopye bot. 
    242CE4AF01E24DB054077BCE3C86494D0284B781  123.php  PHP/HackTool.Telekopye.A  Telekopye bot. 
    9D1EE6043A8B6D81C328C3B84C94D7DCB8611262  mell.php  PHP/HackTool.Telekopye.B  Telekopye bot. 
    B0189F20983A891D0B9BEA2F77B64CC5A15E364B  neddoss.php  PHP/HackTool.Telekopye.A  Telekopye bot. 
    E39A30AD22C327BBBD2B02D73B1BC8CDD3E999EA  nscode.php  PHP/HackTool.Telekopye.A  Telekopye bot. 
    285E0573EF667C6FB7AEB1608BA1AF9E2C86B452  tinkoff.php  PHP/HackTool.Telekopye.A  Telekopye bot. 

    Network

    IP Domain Hosting provider First seen Details
    N/A  3-dsecurepay[.]com  Cloudflare, Inc. 2024⁠-⁠05⁠-⁠30  Telekopye phishing domain. 
    N/A  approveine[.]com  Cloudflare, Inc. 2024⁠-⁠06⁠-⁠28  Telekopye phishing domain. 
    N/A  audittravelerbookdetails[.]com  Cloudflare, Inc. 2024-06-01  Telekopye phishing domain. 
    N/A  btsdostavka-uz[.]ru  TIMEWEB-RU  2024-01-02  Telekopye phishing domain. 
    N/A  burdchoureserdoc[.]com  Cloudflare, Inc. 2024-05-31  Telekopye phishing domain. 
    N/A  check-629807-id[.]top  Cloudflare, Inc. 2024-05-30  Telekopye phishing domain. 
    N/A  contact-click2399[.]com  Cloudflare, Inc. 2024-05-26  Telekopye phishing domain. 
    N/A  contact-click7773[.]com  Cloudflare, Inc. 2024-05-30  Telekopye phishing domain. 
    N/A  get3ds-safe[.]info  Cloudflare, Inc. 2024-05-31  Telekopye phishing domain. 
    N/A  hostelguest[.]com  Cloudflare, Inc. 2024-05-30  Telekopye phishing domain. 
    N/A  order-9362[.]click  Cloudflare, Inc. 2024-05-29  Telekopye phishing domain. 
    N/A  shiptakes[.]info  Cloudflare, Inc. 2024-05-29  Telekopye phishing domain. 
    N/A  quickroombook[.]com  Cloudflare, Inc. 2024⁠-⁠06⁠-⁠02  Telekopye phishing domain. 
    N/A  validation-confi[.]info  Cloudflare, Inc. 2024-05-29  Telekopye phishing domain. 

    MITRE ATT&CK techniques

    This table was created using version 15 of the MITRE ATT&CK framework.

    Tactic  ID  Name  Description 
    Reconnaissance  T1589  Gather Victim Identity Information  Telekopye is utilized to collect payment card details, phone numbers, email addresses, and other personal information. 

    Resource Development

    T1583.001 – Acquire Infrastructure: Domains

    Hey there! Telekopye operators are proactive in registering their own domains to support their activities.

    T1585 – Establish Accounts

    Did you know that Telekopye operators create accounts on online marketplaces as part of their strategy?

    T1585.002 – Establish Accounts: Email Accounts

    Telekopye operators go a step further by setting up email addresses linked to the domains they own.

    T1586.002 – Compromise Accounts: Email Accounts

    For added stealthiness, Telekopye operators utilize compromised email accounts in their operations.

    T1587.001 – Develop Capabilities: Malware

    Telekopye is no ordinary malware, it’s custom-built to serve specific purposes.

    T1588.002 – Obtain Capabilities: Tool

    Additional bots are employed by Telekopye operators to carry out various tasks like money laundering, market research scraping, and DDoS protection.

    Initial Access

    T1566.002 – Phishing: Spearphishing Link

    Telekopye uses email or SMS messages containing links to phishing websites as a way to gain initial access.

    Collection

    T1056.003 – Input Capture: Web Portal Capture

    Web pages created by Telekopye are designed to capture sensitive information and relay it back to the operators.

    Revise the

    Leave a Reply

    Your email address will not be published. Required fields are marked *