ESET researchers have uncovered a significant evolution in the operations of the Telekopye cybercriminal network, which has expanded its targeting from online marketplaces to major accommodation booking platforms like Booking.com and Airbnb. The group, which uses a Telegram-based toolkit to automate scams, has adapted its tactics to exploit the summer travel season, with detections of accommodation-themed scams surpassing marketplace fraud for the first time in July 2024.
Key Takeaways for Security Leaders
The Telekopye operation has shifted focus to exploit travelers during peak booking seasons. Scammers now compromise legitimate hotel accounts on Booking.com and Airbnb to send highly convincing phishing messages that include prefilled booking details matching victims’ real reservations. ESET’s telemetry shows accommodation scams doubled marketplace fraud detections during summer 2024, with dozens of scam groups operating with business-like hierarchies and automated tools. The global impact spans Europe and North America, with Russian origins suspected.
Technical Analysis of the Telekopye Operation
The toolkit operates as a Telegram bot that serves as a turnkey solution for marketplace fraud, now extended to accommodation platforms. Discovered by ESET Research in 2023 but active since at least 2016, the toolkit requires minimal technical knowledge to operate and automates phishing page generation with scraped booking details. The system provides translated chatbot responses for international victims and even includes DDoS protection against rival groups.
Accommodation Booking Attack Chain
The attack begins with actors gaining access to legitimate hotel accounts through purchased credentials or phishing attacks against accommodation providers. Scammers then identify recent bookings with pending payments or newly completed transactions to target. Messages are sent through platform channels (email/SMS) containing accurate booking references and links to cloned payment pages that harvest victims’ financial information.
Detection Metrics and Trends
ESET telemetry reveals significant trends in 2024, with accommodation scams spiking during peak travel periods. In July, accommodation scam detections reached 200+ cases, doubling the baseline of 100 marketplace fraud detections. The August and September data shows continued elevated activity, though with slightly reduced volume compared to the summer peak.
Security Recommendations
For platform users, security teams recommend verifying payment URLs match official domains exactly and contacting providers through verified channels before submitting sensitive data. Accommodation providers should implement stringent access controls for booking management systems and monitor for suspicious account activity. Security professionals should focus detection efforts on Cloudflare-fronted phishing infrastructure and emulate the attack chain during red team exercises.
Conclusion
The expansion of Telekopye operations demonstrates cybercriminals’ ability to adapt tools to high-value seasonal opportunities. While platforms have implemented countermeasures, the scam’s effectiveness relies on abusing legitimate business communications channels. Continued collaboration between security researchers, platforms, and law enforcement remains essential to combat these evolving threats.
References
- Jakub Souček and Radek Jizba (10 Oct 2024). “Telekopye transitions to targeting tourists via hotel booking scam”. WeLiveSecurity.
- “Telekopye Scammers Target Booking.com and Airbnb Users”. InfoSecurity Magazine.
- Eric Vanderburg (11 Oct 2024). Twitter discussion on Telekopye tactics.
- LevelBlue – Open Threat Exchange analysis.
