[ad_1]
We lately printed a blogpost about Telekopye, a Telegram bot that helps cybercriminals rip-off individuals in on-line marketplaces. Telekopye can craft phishing web sites, emails, SMS messages, and extra.
In the primary half, we wrote about technical particulars of Telekopye and hinted at hierarchical construction of its operational teams. In this second half, we concentrate on what we have been in a position to study Neanderthals, the scammers who function Telekopye, their inside onboarding course of, totally different methods of commerce that Neanderthals use, and extra.
Key factors of this blogpost:
- How aspiring Neanderthals be part of Telekopye teams.
- Detailed view of the entire scamming operation from the Neanderthals’ perspective.
- Analysis of the rip-off eventualities and what every Neanderthal has to do so as to achieve success.
- The instruments utilized by senior Neanderthals.
- Insights into methods that Neanderthals use to lure their victims.
- Highlights from an interview with one of many Telekopye directors.
Overview
Recently, we printed an evaluation of Telekopye; on this follow-up blogpost, we concentrate on the Neanderthals’ ways and modus operandi. Our info comes from three primary sources:
- supply code of the bot itself,
- evaluation of Neanderthals’ conversations from scamming teams we’ve infiltrated, and
- our evaluation of Neanderthals’ inside documentation – a group of paperwork, graphs, footage, and extra – that they use as their very own private data base. Such info is offered to newcomers to help them with onboarding.
We would additionally prefer to thank Flare, who helped us in our analysis.
Joining a bunch
Telekopye teams recruit new Neanderthals through ads in many various channels, together with underground boards. These ads clearly state the aim: to rip-off on-line market customers, as seen in Figure 1.
Aspiring Neanderthals are required to fill out an software, answering fundamental questions like the place they realized concerning the group and what expertise they’ve on this line of “work”. If authorized by current group members with sufficiently excessive position, the brand new Neanderthals can begin utilizing Telekopye to its full extent. Furthermore, each Neanderthal is required to affix two channels: a bunch chat the place Neanderthals talk and the place guidelines and manuals are saved, and a separate channel the place transaction logs are saved. The course of is demonstrated in Figure 2.
Types of scams
There are three primary rip-off eventualities:
1. Seller, internally known as 1.0.
2. Buyer, internally known as 2.0.
3. Refund.
Figure 3 is the creation menu for the primary two rip-off eventualities, the place column 1 on the backside represents Seller scams (1.0). The Refund rip-off state of affairs is then tied to every rip-off state of affairs individually. These rip-off sorts are described within the following subsections.
Seller rip-off
In this state of affairs, Neanderthals pose as sellers and attempt to lure unsuspecting Mammoths into shopping for some non-existent merchandise. When a Mammoth exhibits curiosity within the merchandise, the Neanderthal persuades the Mammoth to pay on-line slightly than in particular person. If the Mammoth agrees, the Neanderthal gives a hyperlink to a phishing web site offered by Telekopye and punctiliously crafted to resemble the cost web page of the legit on-line market itemizing the reputed merchandise. Unlike the legit internet web page although, this web page asks for an internet banking login, bank card particulars (typically together with steadiness), or different delicate info. If the Mammoth enters this knowledge, the phishing web site mechanically steals it. Interestingly, this knowledge doesn’t turn out to be out there to the Neanderthal providing the merchandise on the market, however is processed by different Neanderthals. Figure 4 exhibits the Telekopye menu with already created phishing hyperlinks and Figure 5 demonstrates the communication throughout this rip-off state of affairs.
Buyer rip-off
In this state of affairs, Neanderthals pose as patrons they usually analysis a Mammoth to focus on. They present curiosity within the merchandise a Mammoth is promoting and declare they already paid through the offering platform. The Neanderthals proceed to ship the Mammoths e mail or SMS messages (created through Telekopye) with a hyperlink to a rigorously crafted phishing web site (additionally created through Telekopye; see Figure 6), claiming the Mammoth must click on this hyperlink so as to obtain their cash from the platform. The remainder of the state of affairs is similar to the Seller rip-off with slight variations throughout dialog (depicted in Figure 7).
Refund rip-off
In this state of affairs, Neanderthals create a scenario the place the Mammoth is anticipating a refund after which sends them a phishing e mail with a hyperlink to the phishing web site, as soon as extra serving the identical objective. Neanderthals both ship such emails to Mammoths they didn’t contact earlier, relying on them getting grasping and attempting to get this “refund” or they mix it with the Seller rip-off state of affairs – when Mammoths complain that they didn’t obtain their items, Neanderthals ship them refund phishing emails in an try to rip-off them for a second time.
Modus operandi
Now that we’ve described the totally different rip-off eventualities, let’s have a look at what data the Neanderthals have gathered all through the years of their operation. Their inside documentation consists of pictures, graphs, quick guides, and even complicated paperwork – the desk of contents of 1 such doc is illustrated in Figure 8.
We additionally found that there are two sorts of Neanderthals. The first variety writes to each potential Mammoth and the opposite one is way pickier in relation to on the lookout for a possible Mammoth. There is a little bit of rivalry between them because the extra cautious variety argues that the “reckless” conduct of the much less cautious scammers may convey a bit extra revenue, but it surely creates way more public consciousness.
Preparation
Preparing for a rip-off differs primarily based on the chosen state of affairs. For the Seller rip-off state of affairs, Neanderthals are suggested to organize further images of the merchandise to be prepared if Mammoths ask for extra particulars. If Neanderthals are utilizing footage they downloaded on-line, they’re purported to edit them to make picture search harder.
For the Buyer rip-off state of affairs, the important thing a part of a Neanderthal’s preparation is how they select the Mammoth. Over the years, Neanderthals have created pointers to comply with when selecting their targets – they take into account gender, age, expertise in on-line marketplaces, score, opinions, variety of accomplished trades, and plenty of extra indicators.
Market analysis
In virtually each group of Neanderthals, we are able to discover references to manuals with on-line market analysis from which Neanderthals draw their methods and conclusions. The supply of this analysis is often a research from 2017 by Avito and Data Insight company. Figure 9 illustrates the outcomes of 1 such analysis, depicting graphs of gender, age, expertise, and earnings distribution on a selected on-line market.
During the Buyer rip-off state of affairs, Neanderthals select their targets primarily based on the kind of objects they’re promoting. For occasion, some teams keep away from electronics utterly. On the opposite hand, cell gadgets are a valued class for different teams. The value of the merchandise can also be vital – if too excessive, then Neanderthals won’t goal such Mammoths, as they consider that the Mammoths’ vigilance might be a lot increased by default. Manuals advocate that Neanderthals, within the Buyer rip-off state of affairs, decide objects with a value between 1,000 to 30,000 rubles (€9.50 to €290 as of 20th October, 2023).
The location of the Mammoth can also be vital. Neanderthals focus extra on richer cities the place they anticipate extra listings and other people not retaining such an in depth eye on their very own funds.
Finally, the scammers take the day of the month into consideration too. They purpose at days proper after individuals obtain their paychecks, as they naturally anticipate they will have more cash of their financial institution accounts.
Web scraping
Neanderthals make the most of internet scrapers to shortly go although many on-line market listings and decide an ideal Mammoth who will fall for the rip-off; that is, as we’ve already written, an important preliminary a part of the Buyer rip-off state of affairs.
We aren’t conscious of customized internet scrapers applied by Neanderthals, however their documentation mentions a number of supplied as legit companies. Neanderthals scrape the focused market for listings, particulars of things, and consumer info, which ends up in a CSV or XML file. Neanderthals then use the outcomes to shortly discover the fitting targets. We present an instance of such a file in Figure 10.
User scores and expertise are of specific curiosity to Neanderthals, as they use this info to keep away from targets that they deem prone to spot the rip-off.
Avoiding in-person supply
For security causes, many Mammoths desire each in-person cost and in-person supply for bought items. That poses a problem for Neanderthals as they should persuade Mammoths to agree to make use of a supply service and on-line cost, in order that they will direct them to the phishing web site. Usually, they declare they’re too distant or that they’re leaving town for a enterprise journey for a number of days. At the identical time, they attempt to look very within the merchandise to extend the possibilities that the Mammoth will conform to their suggestion.
Phishing internet web page hyperlink supply
Many legit on-line marketplaces have an built-in chat characteristic and, alongside, moderation in place. Sending somebody a hyperlink by means of such a chat is often a crimson flag and should very properly end in a ban. Neanderthals attempt to overcome this impediment by persuading Mammoths to proceed their dialog on a special chat platform that has much less monitoring.
Their arguments are similar to these in opposition to in-person supply. They declare that they should depart their dwelling and can’t entry the chat from their cell phone, however are in a position to proceed their speak on one of many chat apps.
By their very own statistics, Neanderthals declare that about 50% of Mammoths will conform to a platform change and 20% of these will fall for the rip-off. This ends in a ten% success fee total.
Another favored methodology of supply is utilizing e mail or SMS. Telekopye is ready to shortly generate convincing phishing messages. Neanderthals use methods (a few of them illustrated in Figure 11) to study Mammoths’ e mail addresses or telephone numbers so as to ship them such messages. The benefit of this strategy is that asking for a telephone quantity or e mail tackle will probably not set off any crimson flags for neither Mammoth nor chatting platform and the Neanderthal doesn’t want to steer the Mammoth to switch to a special chat platform.
Communication
No AI is utilized by Telekopye. This could also be stunning, however Neanderthals consider that their strategy is superior and fewer prone to be noticed by monitoring mechanisms. As a consequence, the huge portion of their inside documentation is concentrated on communication strategies to attain the very best outcomes.
Earning the Mammoth’s belief is essential to the success of a rip-off. Neanderthals typically deliberately don’t instantly reply to each message however wait (typically even a number of hours) to create the phantasm that they’re busy with common on a regular basis life. Speaking of time: they attempt to adapt to the Mammoth’s time zone so as to not elevate suspicion.
They typically interact in chitchat first; they could even share a pretend private story. The entire objective is to search for crimson flags – indicators that may inform the Neanderthal that the Mammoth is just too suspicious or skilled. Since Neanderthals are targeted on revenue, they don’t need to spend time on Mammoths who find yourself recognizing the entice.
Another nice instance is that when Neanderthals make the most of the Buyer rip-off state of affairs, they guarantee Mammoths that they’ve already paid for the merchandise. This, mixed with the design of the phishing e mail that guarantees fast cash retrieval, ends in Mammoths being much less vigilant.
Experienced Neanderthals present newcomers with full conversations to take inspiration in; one such instance is offered in Figure 12.
Neanderthals solely tolerate a sure stage of resistance from Mammoths – in the event that they deem the rip-off isn’t prone to succeed, they transfer to a special goal. However, in the event that they really feel like they’ve virtually gained, they’re very persuasive. An ideal instance is their documented strategy to conditions the place they efficiently harvest the Mammoth’s delicate knowledge, however both the financial institution blocks the transaction or there are inadequate funds. In that case, Neanderthals could go so far as asking the Mammoth to make use of a member of the family’s card and even name their financial institution and authorize the switch themselves.
Neanderthals are able to reply many surprising questions concerning the legitimacy of their requests (see Figure 13).
Translation
As this operation targets Mammoths internationally, Neanderthals have to create the phantasm that they converse the Mammoth’s language properly sufficient. It is sort of widespread to come across Russian-speaking Neanderthals who can write in English. Interestingly, we have been in a position to cross-reference the Telegram nicknames of many Neanderthals with language-learning platform profiles. These accounts often acknowledged that the proprietor speaks Russian and English. Obviously, the connection could be coincidental.
For a few years Neanderthals used Google Translate. Since no less than 2021, Neanderthals moved in the direction of different translators, resembling DeepL, as (of their opinion) it understands context higher.
Besides utilizing translators, they’ve created many translation tables through the years, with verified translations of widespread phrases into a number of languages. These translations are mostly from Russian to European languages (see Figure 14). Neanderthals simply copy and paste these translated sentences into the chat with the Mammoth.
Group particular options
We must also point out that totally different teams have totally different quality-of-life enhancements to Telekopye. For instance, when producing a phishing hyperlink (a consequence will be seen in Figure 15), Neanderthals from considered one of these teams are requested a number of questions that allow them to have sure diploma of customization of every phishing web site. The most fascinating is the query about handbook/automated phishing website era. In the case of handbook era, the Neanderthal should specify all info wanted to create the phishing web site. For Neanderthals posing as patrons, this takes from 10 to fifteen questions (Figure 16).
In the case of automated web page era, the Neanderthal solely must specify the URL of the merchandise to “buy” and to reply 5 questions (like what the customer’s identify and telephone quantity are). Telekopye then scrapes all info from the web site and creates the phishing web site.
Anonymity and evasion
Neanderthals consider their teams are stuffed with “rats” (for instance, regulation enforcement or researchers). So, they religiously keep on with the principles, primarily no probing for info that would determine different members of the group. Breaking such guidelines could very properly end in being banned. The golden rule is “work more talk less”. In addition, they’re inspired to make use of VPNs, proxies, and TOR to remain secure. Neanderthals present newcomers with intensive guides and even interact in heated discussions over what applications or companies to make use of and why, together with browser preferences. Some Neanderthals even make the most of Orbot, a TOR variant for Android.
Money
Neanderthals want to cover not solely their identities and site, but additionally their cash. Naturally, cryptocurrencies are the reply to that. We weren’t ready to attract any conclusions concerning cryptocurrency desire.
Finally, Neanderthals desire companies for which they will register utilizing solely a cell phone quantity. They take into account this the very best strategy, since it’s comparatively straightforward to purchase a SIM card whereas not disclosing their id.
Bypassing automated detection
Online market scams are nothing new. Over the years, the platforms offering these companies have applied various strategies to counter scammers and enhance their clients’ safety. The Neanderthals are conscious of this and proceed to experiment with totally different approaches to beat the platforms’ moderation insurance policies. One early and slightly silly try was to make the most of Google Forms to phish private info from Mammoths (as seen in Figure 17). Considering the knowledge they focused, the objective was to acquire a method to speak by means of a special channel – e mail or SMS – the place strict moderation wouldn’t happen.
Nowadays, virtually all Neanderthals attempt to switch their Mammoths to much less policed, legit chat platforms. Neanderthals select them as a result of they consider banning accounts there takes time. Additionally, sending numerous hyperlinks over chat platforms is widespread apply slightly than suspicious conduct. As a bonus, virtually everyone is aware of such functions, so Neanderthals don’t have to clarify how they work.
Despite contemplating these platforms a lot safer, Neanderthals tread rigorously nonetheless. They keep away from sending too many messages in a brief time frame and attempt to personalize messages for various Mammoths – Telekopye aids them enormously on this effort.
Exploring new territories: Real property rip-off
Some of the Neanderthals’ teams point out a special type of rip-off state of affairs – one which targets actual property renters. The rip-off works as follows. During the preparation stage, Neanderthals write to a legit proprietor of an residence, pretending to have an interest and ask for numerous particulars, resembling further footage and how much neighbors the residence has. The Neanderthals then take all this info and create their very own itemizing on one other web site, providing the residence for lease. They lower the anticipated market value by about 20%. The remainder of the state of affairs is an identical to Seller rip-off state of affairs – the Neanderthal waits for a Mammoth to point out curiosity, and directs the Mammoth to pay a reservation price through a hyperlink that, after all, really factors to a phishing web site.
Thanks to ESET’s telemetry we discovered that the phishing web sites used on this rip-off state of affairs are suspiciously much like those Telekopye creates for the Buyer and Seller eventualities. This, mixed with the rip-off being marketed by Telekopye teams, leads us to consider that there’s a connection. However, we neither infiltrated any group specializing on this state of affairs nor obtained a Telekopye variant designed for it.
Interview
When crawling by means of totally different manuals, teams, and extra supplies, we discovered an interview with a Telekopye administrator that was completed on the finish of 2020. This helped us get a novel perception into the thoughts of a high-ranked Neanderthal. The interviewed Telekopye administrator operated a Telekopye group specializing in instructing new Neanderthals.
The administrator is at one level requested how he sees the way forward for this line of “work”. To that, he responds that “Online marketplace scams will always be present. It is much harder [to scam] than it used to be thanks to banning policies on different sites. But it is just not possible to stop all phishing on these sites”. He additionally says that he doesn’t rip-off anymore. He simply acquired uninterested in it and now works solely as administrator/tutor and that’s why his group is so distinctive. “I don’t fear Mammoths. Every other Mammoth will threaten you when they realize they’ve been scammed. Apparently, everyone these days is a wife or a friend of a minister of internal affairs”, says the administrator.
When requested whether or not he is considering creating a brand new rip-off mission, he says that he doesn’t have time for that. He moderates two channels, has an energetic life-style, does a number of coaching, and he has solely 4 hours a day at dwelling.
He additionally confesses that he’s absolutely conscious that this sort of a job isn’t sincere however finds a typical excuse for himself. “… some people will constantly pay for links, and someone will constantly throw them. Whoever tries hard in life will succeed.”. On high of that he says that if he feels sorry for Mammoth, he asks himself: “Why am I scamming them in the first place? Well… I only steal from the rich (research note: Mammoths that probably have at least €200 in their account) and if my conscience were that fragile, I would go work as a delivery man”.
Conclusion
In this second installment devoted to Telekopye, we’ve targeted on what we realized about Neanderthals. Thanks to accessing each their inside communication and their data base, we’ve offered not solely descriptions of various rip-off eventualities, however primarily a novel perception into their modus operandi and mindset.
We have demonstrated how the admission course of for newcomers appears to be like like and the way Telekopye aids Neanderthals of their each day work. In addition, we’ve proven that they in all probability are experimenting with actual property scams as properly.
Online market scams are probably not going away. As we demonstrated in the primary installment, we have been in a position to uncover dozens of teams working Telekopye. That stated, by having our distinctive perception into the scammers’ operation, we consider so much will be realized so as to shield customers of such platforms from hurt.
IoCs and a MITRE ATT&CK strategies desk have been offered within the first a part of this evaluation, and are unchanged, so please check with that article for these.
For any inquiries about our analysis printed on WeLiveSecurity, please contact us at threatintel@eset.com.
ESET Research provides non-public APT intelligence stories and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.