Telekopye Scam Kit Now Targets Booking.com and Airbnb Users

ESET Research has uncovered a new wave of scams targeting users of Booking.com and Airbnb, orchestrated by cybercriminals leveraging the Telekopye toolkit.

Originally used to scam buyers and sellers on online marketplaces, Telekopye has now expanded into the travel sector, exploiting compromised accounts of legitimate accommodation providers. Tourists who recently booked hotels or apartments are being tricked into handing over their payment card details through fake booking payment pages.

Telekopye evolution

Telekopye is a sophisticated scam toolkit first identified by ESET in 2023, though it has been in use since at least 2016. It operates as a Telegram-based bot that automates phishing campaigns for cybercriminals, often referred to as “Neanderthals” in the scam network's internal language.
Originally focused on platforms like eBay, OLX, and Vinted, Telekopye enables scammers to pose as sellers or buyers, directing victims to fraudulent payment pages that capture sensitive information. However, in 2024, these operations expanded into the hospitality sector, with fraudsters exploiting Booking.com and Airbnb to prey on unsuspecting tourists.

Targeting Booking and Airbnb

In the latest scam, cybercriminals access compromised hotel or property manager accounts on these platforms, often using credentials purchased from underground forums. Once they gain access, the scammers contact users who have made recent bookings, typically via in-platform chat or email, claiming there is an issue with the payment. They direct the user to a fake webpage that closely resembles the official Booking.com or Airbnb site, complete with accurate booking details like check-in dates, prices, and locations. The fake site then requests payment card information, which is harvested by the scammers and used to steal money from the victim's account.

ESET’s telemetry shows a notable increase in these accommodation-focused scams during the summer of 2024, coinciding with peak travel times. In July, the volume of these scams surpassed Telekopye’s original marketplace frauds for the first time, with the trend continuing through August and September. This is a significant shift, considering Telekopye's history of targeting a broad range of online services, including more than 90 marketplaces across Europe and North America.

While the marketplace scams often involved creating fake product listings or posing as buyers to lure victims into entering payment information on phishing sites, the accommodation booking scams take a more personalized approach. By using compromised hotel or host accounts, the scammers are able to reach victims through official communication channels, making the scam harder to detect. The fraudulent webpages are almost identical to the legitimate ones, with the only giveaway being the URL, which may not match the official domain.

Telekopye’s success lies in its ability to automate the scamming process, providing cybercriminals with an easy-to-use interface that allows even those with minimal technical skills to execute complex phishing attacks. Through its Telegram bot, scammers can quickly generate fake emails, web pages, and messages to defraud victims. This makes Telekopye highly scalable and adaptable, as seen in its expansion into the travel industry.

A persistent threat

Despite recent efforts by law enforcement, including the arrest of several Telekopye scammers in 2023, the toolkit continues to be widely used. According to ESET, Telekopye scam groups operate like organized businesses, with roles ranging from administrators to “workers” who perform the scams. These groups often recruit people in difficult financial situations, offering them “easy money” for participating in fraudulent schemes. The groups operate with clear structures, commission-based payouts, and even mentorship programs for new recruits.

To defend against these scams, ESET recommends that users of Booking.com, Airbnb, and other online platforms take several precautions:

• Always check the URL of any website where payment information is entered to ensure it matches the official domain.
• Avoid interacting with emails or messages that direct you to external sites for payments. Legitimate payment requests will typically come through the platform's secure payment system.
• Enable two-factor authentication on your accounts for added security.
• If contacted about an issue with a booking payment, reach out directly to Booking.com or Airbnb customer support through official channels, rather than responding to suspicious messages.