Vendor releases new revelations about scam toolkit designed to help cybercriminals defraud people on online marketplaces
ESET, a global European leader in the cybersecurity market, has discovered that the organized Telekopye scammer network has expanded its activities, targeting users of popular hotel and accommodation booking platforms. Scammers have refined the sophistication of their victim selection and targeting process on these platforms, with phishing pages even more credible than those on classic online marketplaces. Telekopye is a toolkit that operates like a Telegram bot, turning marketplace scams into an illicit criminal organization. It is used by dozens of scammer groups, numbering up to thousands of members, in order to steal millions of euros from victims. ESET Research presented the latest findings on Telekopye at the Virus Bulletin 2024 conference.
In the Telekopye scammer network, victims are called “Mammoth” by scammers. The scammers who are called “Neanderthals” by ESET researchers do not need any special technical knowledge – Telekopye handles everything in seconds. According to ESET telemetry, booking scams started to gain traction in 2024 and, in particular, scams targeting the hotel and accommodation booking market saw a sharp increase in July, surpassing for the first time the marketplace scams carried out by Telekopye up until then, marking more than double the detections. In August and September, the two categories continued to remain at similar levels.
The growing popularity of online marketplaces has attracted cybercriminals, who target unsuspecting buyers and sellers for credit card information. Since the increase in these scams was detected in the summer season in the targeted regions - i.e. the ideal time to take advantage of those booking accommodation - it remains to be seen whether this trend will persist. Based on 2024 data, these new scams garnered approximately half as many detections as those on marketplaces, focusing primarily on the two most popular global platforms versus the broad range of online marketplaces previously targeted by Telekopye.
In this new scenario, scammers send an email to the target user of one of these platforms, stating that there is a problem with the payment for the booking. The email contains a link to a well-constructed fraudulent web page, which imitates the compromised platform. The page contains pre-populated booking information, such as check-in and check-out dates, price and location – and the information provided on the fraudulent pages matches real bookings made by users.
"The fraudsters achieve this by using compromised accounts of legitimate hotels and landlords on the platforms, probably obtained by purchasing stolen credentials on criminal forums. Thanks to access to these accounts, the fraudsters select users who have recently booked a stay and have not yet paid - or who have recently paid - and attack them", explains Radek Jizba, a researcher at ESET who discovered and analyzed Telekopye. "This approach makes the scam much harder to spot, as the information provided is personally relevant to the victims and the websites appear as you would expect. The only visible signs of an anomaly are the URLs, which do not correspond to the platforms' official domains," he adds.
In addition to diversifying their goals, Neanderthals sought to improve tools and intensify activities to increase earnings.
"Before filling out any forms relating to your booking, you should always ensure that you have not left the official website or app of the platform in question. Being redirected to an external URL to proceed with the booking and payment is a strong indicator of a scam," advises Jizba.
In late 2023, after ESET Research published a two-part series on Telekopye, Czech and Ukrainian police, in two joint operations, arrested dozens of cybercriminals using Telekopye, including the main perpetrators. Both operations were targeted against an unspecified number of Telekopye groups, which had amassed at least 5 million euros since 2021, according to police estimates.
For a more detailed analysis of Telekopye's latest activities, please see the latest whitepaper from ESET Research “Marketplace scams: Neanderthals hunting Mammoths with Telekopye” on WeLiveSecurity.com. Follow ESET Research su Twitter (now known as X) for the latest news from ESET Research.






