Keypoints
- Telekopye is a Telegram bot toolkit that automates phishing campaigns and supports dozens of scam groups.
- In 2024 actors expanded targeting to Booking.com and Airbnb by abusing compromised accommodation provider accounts.
- Scammers generate legitimate-looking, prefilled booking pages that lead victims to payment forms capturing card data.
- Groups use automated web scraping to populate phishing pages, chatbots for live interaction and translation, and Cloudflare for hosting/protection.
- Telekopye operators register phishing domains and deploy PHP-based bot files (e.g., scam.php, 123.php) to serve pages and exfiltrate data.
- Additional bot tooling is used for money laundering, market scraping, and DDoS protection against rivals.
MITRE Techniques
- [T1589] Gather Victim Identity Information – Used to collect payment card details, phone numbers and emails via phishing web pages. [‘Telekopye is used to gather payment card details, phone numbers, email addresses, etc. via phishing web pages.’]
- [T1583.001] Acquire Infrastructure: Domains – Operators register and use phishing domains to host fraudulent booking/payment pages. [‘Telekopye operators register their own domains.’]
- [T1585] Establish Accounts – Scammers create accounts on online marketplaces and booking platforms to support scams. [‘Telekopye operators establish accounts at online marketplaces.’]
- [T1585.002] Establish Accounts: Email Accounts – Email addresses are created tied to attacker-controlled domains for communications and phishing. [‘Telekopye operators set up email addresses associated with the domains they register.’]
- [T1586.002] Compromise Accounts: Email Accounts – Actors use compromised legitimate accounts (hotels/providers) to increase scam credibility. [‘Telekopye operators use compromised email accounts to increase their stealthiness.’]
- [T1587.001] Develop Capabilities: Malware – Telekopye includes custom PHP-based tools/bots used to serve phishing pages and steal data. [‘Telekopye is custom malware.’]
- [T1588.002] Obtain Capabilities: Tool – Additional bots are used for laundering, scraping market data, and providing DDoS protection. [‘Telekopye operators use additional bots to launder money, scrape market research, and implement DDoS protection.’]
- [T1566.002] Phishing: Spearphishing Link – Victims receive targeted messages (in-platform chat, email, SMS) containing links to phishing websites. [‘Telekopye sends email or SMS messages that contain links to phishing websites.’]
- [T1056.003] Input Capture: Web Portal Capture – Fake booking/payment web portals capture entered payment and credential data and report it to operators. [‘Web pages created by Telekopye capture sensitive information and report it to the operators.’]
Indicators of Compromise
- [Files] Telekopye bot PHP files – E815A879F7F30FB492D4043F0F8C67584B869F32 (scam.php), 378699D285325E905375AF33FDEB3276D479A0E2 (scam.php), and 5 more hashes
- [Domains] Phishing domains used to host fake booking/payment pages – 3-dsecurepay[.]com, quickroombook[.]com, and other 11 domains
Telekopye operates as a Telegram bot that streamlines creation and deployment of phishing campaigns: operators or low-skilled affiliates use the bot UI to generate phishing emails, SMS, web pages, and live-chat interfaces. Campaigns targeting accommodation platforms leverage compromised hotel/provider accounts to locate recent or unpaid bookings; attackers then initiate in-platform messages (or trigger expected emails/SMS) containing links to attacker-controlled domains. The hosted pages are prefilled with real booking details scraped from the compromised accounts or via automated web scrapers, increasing plausibility and conversion.
Technical workflow: attackers register phishing domains and deploy PHP-based Telekopye files (examples: scam.php, 123.php) to serve cloned booking pages and payment forms. Victims who follow links encounter a chatbot and translated canned responses that guide them through a payment flow; submitted card data and credentials are captured by the portal (web portal input capture) and sent back to operators. Operators augment campaigns with ancillary bots for laundering, competitive DDoS protection, and automated scraping to speed page creation and targeting.
Defensive-relevant artifacts include the listed PHP file hashes and multiple Cloudflare-hosted phishing domains that mirror Booking.com/Airbnb pages (URLs differ from legitimate sites). Telemetry showed a campaign surge in mid-2024 (July) aligned with peak booking season, indicating opportunistic targeting and rapid deployment capability via the Telekopye toolkit.