恶意Telegram机器人Telekopye：大规模网络钓鱼

More details have emerged about a malicious Telegram bot called Telekopye that's used by threat actors to pull off large-scale phishing scams.

有关一种名为Telekopye的恶意Telegram机器人的更多详细信息已经浮出水面，恶意操作者使用该机器人进行大规模网络钓鱼诈骗。

"Telekopye can craft phishing websites, emails, SMS messages, and more," ESET security researcher Radek Jizba said in a new analysis.

ESET安全研究员Radek Jizba在一项新的分析中表示：“Telekopye能够制作网络钓鱼网站、电子邮件、短信等。”

The threat actors behind the operation – codenamed Neanderthals – are known to run the criminal enterprise as a legitimate company, spawning a hierarchical structure that encompasses different members who take on various roles.

该操作背后的威胁行动者，代号为“Neanderthals（尼安德特人）”，被认为将犯罪企业运作为合法公司，形成一个包括扮演不同角色的各种成员的等级结构。

Once aspiring Neanderthals are recruited via advertisements on underground forums, they are invited to join designated Telegram channels that are used for communicating with other Neanderthals and keeping track of transaction logs.

一旦新加入的尼安德特人通过地下论坛上的广告被招募，他们会被邀请加入专门用于与其他尼安德特人沟通和跟踪交易日志的Telegram频道。

The ultimate goal of the operation is to pull off one of the three types of scams: seller, buyer, or refund.

该操作的最终目标是执行三种类型的诈骗：卖家、买家或退款。

In the case of the former, Neanderthals pose as sellers and try to lure unwary Mammoths into purchasing a non-existent item. Buyer scams entail the Neaderthals masquerading as buyers so as to dupe the Mammoths (i.e., merchants) into entering their financial details to part with their funds.

在前一种情况下，尼安德特人扮演卖家，试图引诱易受骗的猛犸象购买不存在的物品。买家诈骗涉及尼安德特人伪装成买家，以欺骗猛犸象（即商家）输入其财务详细信息，以脱离他们的资金。

Other scenarios fall into a category called refund scams wherein Neaderthals trick the Mammoths a second time under the pretext of offering a refund, only to deduct the same amount of money again.

其他情况属于所谓的退款诈骗类别，在这种情况下，尼安德特人以提供退款的借口第二次欺骗猛犸象，然后再次扣除相同金额。

Singapore headquartered cybersecurity firm Group-IB previously told The Hacker News that the activity tracked as Telekopye is the same as Classiscam, which refers to a scam-as-a-service program that has netted the criminal actors $64.5 million in illicit profits since its emergence in 2019.

总部位于新加坡的网络安全公司Group-IB此前告诉The Hacker News，对Telekopye进行的跟踪活动与Classiscam相同，Classiscam是指自2019年出现以来已经获得6450万美元非法利润的诈骗即服务程序。

"For the Seller scam scenario, Neanderthals are advised to prepare additional photos of the item to be ready if Mammoths ask for additional details," Jizba noted. "If Neanderthals are using pictures they downloaded online, they are supposed to edit them to make image search more difficult."

“对于卖家诈骗情景，建议尼安德特人准备物品的额外照片，以备猛犸象要求额外详细信息时使用。如果尼安德特人使用从网上下载的图片，他们应该编辑这些图片以使图像搜索更加困难。”

Choosing a Mammoth for a buyer scam is a deliberate process that takes into account the victim's gender, age, experience in online marketplaces, rating, reviews, number of completed trades, and the type of items they are selling, indicating a preparatory stage that involves extensive market research.

选择一个猛犸象进行买家诈骗是一个有意识的过程，考虑到受害者的性别、年龄、在线市场经验、评级、评论、已完成交易的数量以及他们正在出售的物品类型，表明了一个涉及广泛市场研究的准备阶段。

Also utilized by Neanderthals are web scrapers to sift through online marketplace listings and pick an ideal Mammoth who is likely to fall for the bogus scheme.

尼安德特人还利用网络爬虫筛选在线市场列表，并选择一个可能会上当的理想猛犸象来进行虚假计划。

Should a mammoth prefer in-person payment and in-person delivery for sold goods, the Neanderthals claim "they are too far away or that they are leaving the city for a business trip for a few days," while simultaneously demonstrating heightened interest in the item to increase the likelihood of success of the scam.

如果猛犸象更喜欢当面付款和当面交付已售商品，尼安德特人会声称“他们离得太远，或者他们将离开城市几天出差”，同时对商品表现出更高的兴趣，以增加诈骗成功的可能性。

Neanderthals have also been observed use VPNs, proxies, and TOR to stay anonymous, while also exploring real estate scams wherein they create bogus websites with apartment listings and entice Mammoths into paying for a reservation fee by clicking on a link that points to a phishing website.

尼安德特人还被观察到使用VPN、代理和TOR以保持匿名，同时还探讨房地产诈骗，其中他们创建虚假的公寓列表网站，并诱使猛犸象通过点击指向网络钓鱼网站的链接支付预订费用。

"Neanderthals write to a legitimate owner of an apartment, pretending to be interested and ask for various details, such as additional pictures and what kind of neighbors the apartment has," Jizba said.

“尼安德特人会写信给公寓的合法所有者，假装对此感兴趣，并询问各种详细信息，例如额外的图片和公寓的邻居是什么样的，”Jizba说。

"The Neanderthals then take all this information and create their own listing on another website, offering the apartment for rent. They cut the expected market price by about 20%. The rest of the scenario is identical to the Seller scam scenario."

“然后，尼安德特人将所有这些信息都带走，并在另一个网站上创建自己的列表，以20%左右的期望市场价格出租公寓。其余的情节与卖家诈骗情景相同。”

The disclosure comes as Check Point detailed a rug pull scam that managed to pilfer nearly $1 million by luring unsuspecting victims into investing in fake tokens and executing simulated trades to create a veneer of legitimacy.

这一披露是在Check Point详细介绍了一种拉毯诈骗之际，该诈骗设法骗取了近100万美元，诱使毫无戒心的受害者投资于虚假代币，并执行模拟交易以营造合法性的外观。

"Once the token had sufficiently lured in investors, the scammer executed the final move – withdrawal of liquidity from the token pool, leaving token purchasers with empty hands and depleted funds," the company said.

“一旦代币成功吸引投资者，骗子执行了最后一步 - 从代币池中提取流动性，让购买代币的人空手而归，资金也被耗尽。”该公司表示。

原文始发于微信公众号（知机安全）：恶意Telegram机器人Telekopye：大规模网络钓鱼