Telekopye transitions to targeting tourists via hotel booking scam

ByDr. Mercy Nwankwo October 11, 2024October 11, 2024Write a Comment

Telekopye phishing page mimicking a legitimate booking platform

*Figure 2. Telekopye payment card information phishing form*

After the victim submits their payment card information, the scammers can use it for fraudulent transactions, leading to financial losses for the targeted user. This type of scamming operation has proven to be particularly successful during high-travel seasons, when users are more likely to be making bookings and may be less vigilant due to the excitement of upcoming trips.

As scammers continue to adapt and evolve their tactics, it is essential for users of online platforms to remain vigilant and cautious when interacting with messages, links, or forms requesting sensitive information. By staying informed about the latest scams and taking proactive measures to protect personal data, users can reduce the risk of falling victim to cybercriminal schemes.

Otherwise, insist on receiving payment through secure channels like PayPal or other trusted payment methods.

Accommodation-themed scams

Always double-check the URL of the website you are using to book accommodations. Look for any suspicious or misspelled domains that may indicate a fake website.

Verify the legitimacy of the website by doing a quick search online for reviews or feedback from other users. If there are no reviews or if the website has a bad reputation, proceed with caution.

Before entering any personal or payment information, make sure the website is secure by checking for the padlock symbol in the address bar and ensuring the URL starts with “https://”.

If you receive any unusual requests or demands from the accommodation provider, such as asking for payment outside of the platform or requesting additional personal information, be wary and consider cancelling the booking.

Report any suspicious activity or websites to the platform or authorities to help prevent others from falling victim to similar scams.

By staying vigilant and informed about these common tactics used by Neanderthals, you can protect yourself and others from falling prey to their scams. Remember to always be cautious when dealing with unfamiliar individuals or websites, and don’t hesitate to seek help or report suspicious behavior to prevent further harm.

If you do not wish to utilize the delivery options provided by the buyer, take control of managing them yourself.

Prior to clicking on any links sent by the individual you are conversing with, carefully examine the URL, content, and certificate properties of the website to ensure its legitimacy.

Accommodation booking scams

Always verify that you are on the official website or app of the platform before entering any information related to your booking. Redirecting to an external URL for booking and payment could be a sign of a potential scam.

Contacting accommodation providers directly may not guarantee the legitimacy of payment requests in cases of compromised accounts. If unsure, reach out to the platform’s official customer support (Booking.com, Airbnb) or report security concerns (Booking.com, Airbnb).

For account protection while booking accommodation or renting out, ensure the use of strong passwords and enable two-factor authentication whenever possible.

Conclusion

Our investigation into Telekopye activities has provided us with valuable insights into these scams, including understanding the technical aspects, the business operations of Telekopye groups, and insights into Neanderthals themselves.

We have outlined the various strategies employed by these groups to maximize their financial gains, such as broadening their victim pool, exploiting seasonal opportunities, and enhancing their tools and operations. Particularly, the targeting of accommodation booking platforms by Neanderthals represents a more sophisticated approach.

While platforms targeted by Telekopye are aware of these scams and have implemented countermeasures, users are advised to remain cautious due to the prevalence and continuous evolution of these scams.

For inquiries regarding our research on WeLiveSecurity, please reach out to us at threatintel@eset.com.

ESET Research offers private APT intelligence reports and data feeds. For more information on this service, visit the ESET Threat Intelligence page.

IoCs

Files

SHA-1	Filename	Detection	Description
E815A879F7F30FB492D4043F0F8C67584B869F32	scam.php	PHP/HackTool.Telekopye.B	Telekopye bot.
378699D285325E905375AF33FDEB3276D479A0E2	scam.php	PHP/HackTool.Telekopye.B	Telekopye bot.
242CE4AF01E24DB054077BCE3C86494D0284B781	123.php	PHP/HackTool.Telekopye.A	Telekopye bot.
9D1EE6043A8B6D81C328C3B84C94D7DCB8611262	mell.php	PHP/HackTool.Telekopye.B	Telekopye bot.
B0189F20983A891D0B9BEA2F77B64CC5A15E364B	neddoss.php	PHP/HackTool.Telekopye.A	Telekopye bot.
E39A30AD22C327BBBD2B02D73B1BC8CDD3E999EA	nscode.php	PHP/HackTool.Telekopye.A	Telekopye bot.
285E0573EF667C6FB7AEB1608BA1AF9E2C86B452	tinkoff.php	PHP/HackTool.Telekopye.A	Telekopye bot.

Network

IP	Domain	Hosting provider	First seen	Details
N/A	3-dsecurepay[.]com	Cloudflare, Inc.	2024⁠-⁠05⁠-⁠30	Telekopye phishing domain.
N/A	approveine[.]com	Cloudflare, Inc.	2024⁠-⁠06⁠-⁠28	Telekopye phishing domain.
N/A	audittravelerbookdetails[.]com	Cloudflare, Inc.	2024-06-01	Telekopye phishing domain.
N/A	btsdostavka-uz[.]ru	TIMEWEB-RU	2024-01-02	Telekopye phishing domain.
N/A	burdchoureserdoc[.]com	Cloudflare, Inc.	2024-05-31	Telekopye phishing domain.
N/A	check-629807-id[.]top	Cloudflare, Inc.	2024-05-30	Telekopye phishing domain.
N/A	contact-click2399[.]com	Cloudflare, Inc.	2024-05-26	Telekopye phishing domain.
N/A	contact-click7773[.]com	Cloudflare, Inc.	2024-05-30	Telekopye phishing domain.
N/A	get3ds-safe[.]info	Cloudflare, Inc.	2024-05-31	Telekopye phishing domain.
N/A	hostelguest[.]com	Cloudflare, Inc.	2024-05-30	Telekopye phishing domain.
N/A	order-9362[.]click	Cloudflare, Inc.	2024-05-29	Telekopye phishing domain.
N/A	shiptakes[.]info	Cloudflare, Inc.	2024-05-29	Telekopye phishing domain.
N/A	quickroombook[.]com	Cloudflare, Inc.	2024⁠-⁠06⁠-⁠02	Telekopye phishing domain.
N/A	validation-confi[.]info	Cloudflare, Inc.	2024-05-29	Telekopye phishing domain.

MITRE ATT&CK techniques

This table was created using version 15 of the MITRE ATT&CK framework.

Tactic	ID	Name	Description
Reconnaissance	T1589	Gather Victim Identity Information	Telekopye is utilized to collect payment card details, phone numbers, email addresses, and other personal information.

Resource Development

T1583.001 – Acquire Infrastructure: Domains

Hey there! Telekopye operators are proactive in registering their own domains to support their activities.

T1585 – Establish Accounts

Did you know that Telekopye operators create accounts on online marketplaces as part of their strategy?

T1585.002 – Establish Accounts: Email Accounts

Telekopye operators go a step further by setting up email addresses linked to the domains they own.

T1586.002 – Compromise Accounts: Email Accounts

For added stealthiness, Telekopye operators utilize compromised email accounts in their operations.

T1587.001 – Develop Capabilities: Malware

Telekopye is no ordinary malware, it’s custom-built to serve specific purposes.

T1588.002 – Obtain Capabilities: Tool

Additional bots are employed by Telekopye operators to carry out various tasks like money laundering, market research scraping, and DDoS protection.

Initial Access

T1566.002 – Phishing: Spearphishing Link

Telekopye uses email or SMS messages containing links to phishing websites as a way to gain initial access.

Collection

T1056.003 – Input Capture: Web Portal Capture

Web pages created by Telekopye are designed to capture sensitive information and relay it back to the operators.

Revise the