ESET researchers discovered that the organized fraud network Telekopye has expanded its operations to target users of popular booking platforms such as Booking.com and Airbnb.
Telekopye is a set of tools that works like a Telegram bot
The network has also increased the sophistication of victim selection and imitation of booking websites, making phishing pages even more credible than those used to date.
Telekopye is a set of tools that works like a Telegram bot, transforming online market scams into organized illicit businesses. It is used by dozens of fraudulent groups with up to thousands of members to steal millions of euros from their victims. ESET presented the latest findings on Telekopye at the Virus Bulletin 2024 conference.
On the Telekopye scam network, members refer to targeted buyers and sellers as Mammoths. The scammers, called Neanderthals by ESET researchers, require little or no technical knowledge – Telekopye takes care of everything in a matter of seconds. According to ESET telemetry, booking fraud began to gain momentum in 2024.
Hosting-related fraud saw a sharp increase in July, surpassing Telekopye's online marketplace scams for the first time, with more than double the number of detections. In August and September, the two categories remained at similar levels.
The growing popularity of online marketplaces has attracted cybercriminals who prey on unsuspecting buyers and sellers, seeking to obtain credit card details rather than bargains. As this rise in booking fraud coincides with the summer holiday season in the targeted regions – a prime time to take advantage of people booking staycations – it remains to be seen whether this trend continues.
Based on data from 2024, these new scams have accumulated approximately half the detection numbers of online marketplace variants. The new scams mainly focus on two platforms – Booking.com and Airbnb – compared to the wide range of online marketplaces targeted by Telekopye.
In this new fraud scenario, scammers send an email to a targeted user of one of these platforms, claiming a problem with their reservation payment. The email contains a link to a well-crafted and legitimate-looking web page that mimics the platform used. The page contains pre-populated information about a reservation, such as check-in and check-out dates, price and location – and the information provided on the fraudulent pages matches the actual reservations made by the targeted users.
Scammers achieve this through the use of compromised hotel and accommodation accounts on the platforms, which they likely obtain by purchasing stolen credentials on cybercriminal forums. Through their access to these accounts, scammers select users who have recently booked a stay and have not yet paid, or have paid a lot recently, and target them.
This approach makes fraud much more difficult to detect, since the information provided is personally relevant to victims and the sites look as expected. The only visible signs that something is wrong are the website URLs, which do not match the legitimate and imitated websites
Radek Jizba, ESET researcher who discovered and analyzed Telekopye.
In addition to diversifying their target portfolio, Neanderthals also tried to improve their tools and operations to increase their profits.
“Before filling out any form related to your reservation, always make sure you have not left the official website or app of the platform in question. Being directed to an external URL to proceed with booking and payment is a strong indicator of fraud,” advises Jizba.
In late 2023, after ESET published its two-part series on Telekopye, Czech and Ukrainian police arrested dozens of cybercriminals using Telekopye, including key actors, in two joint operations. Both operations targeted an unspecified number of Telekopye groups, which have accumulated at least €5 million since 2021, based on police estimates.
Source: pplware.sapo.pt
