ESET researchers have discovered that the Telekopye organized network of fraudsters has expanded its operations to target users of popular booking platforms.
Telekopye is a set of tools that works like a Telegram bot. ESET, s.r.o., is a software company specializing in cybersecurity.
The network has also increased the sophistication of the selection of victims and the imitation of booking websites, making phishing pages even more credible than those used so far. Telekopye is a set of tools that works like a Telegram bot, turning online marketplace scams into organized illicit businesses.
It is used by dozens of fraudulent groups with up to thousands of members to steal millions of euros from their victims. ESET presented its latest findings on Telekopye at the Virus Bulletin 2024 conference. In the Telekopye scam network, members refer to the targeted buyers and sellers as Mammoths. The fraudsters, called Neanderthals by ESET researchers, require little or no technical knowledge – Telekopye takes care of everything in a matter of seconds.
According to ESET’s telemetry, booking fraud began to gain momentum in 2024. Accommodation fraud saw a sharp increase in July, overtaking Telekopye’s online marketplace scams for the first time, with more than double the number of detections. In August and September, the two categories remained at similar levels.
The growing popularity of online marketplaces has attracted cyber criminals who take advantage of unsuspecting buyers and sellers, looking to obtain credit card details rather than bargains. Since this increase in booking fraud coincides with the summer vacation season in the targeted regions – a prime time to take advantage of people booking stays – it remains to be seen whether this trend will continue.
Based on data from 2024, these new scams have accumulated approximately half the detection numbers of the online marketplace variants. The new scams focus mainly on two platforms – Booking.com and Airbnb – compared to the wide variety of online marketplaces targeted by Telekopye.
In this new scam scenario, fraudsters send an email to a target user of one of these platforms, claiming a problem with the payment of their booking. The email contains a link to a well-designed, legitimate-looking web page that mimics the platform used. The page contains pre-filled information about a booking, such as check-in and check-out dates, price and location – and the information provided on the fraudulent pages matches the actual bookings made by the targeted users.
The fraudsters achieve this by using compromised accounts of legitimate hotels and accommodation on the platforms, which they probably obtain by buying stolen credentials on cybercriminal forums. Through their access to these accounts, the fraudsters select users who have recently booked a stay and have not yet paid, or have paid very recently, and target them. This approach makes fraud much more difficult to detect, since the information provided is personally relevant to the victims and the websites look as expected. The only visible signs that something is wrong are the URLs of the websites, which don’t match the legitimate, impersonated sites.
Radek Jizba, ESET researcher who discovered and analyzed Telekopye.
As well as diversifying their target portfolio, the Neanderthals also tried to improve their tools and operations to increase their earnings. “Before filling in any form related to your booking, always make sure you haven’t left the official website or app of the platform in question.
Being directed to an external URL to proceed with the booking and payment is a strong indicator of fraud,” advises Jizba. At the end of 2023, after ESET published its two-part series on Telekopye, Czech and Ukrainian police arrested dozens of cybercriminals using Telekopye, including key players, in two joint operations. Both operations targeted an unspecified number of Telekopye groups, which had accumulated at least 5 million euros since 2021, based on police estimates.
Airbnb’s future, where people pay their rent via Airbnb