The misuse of iOS TestFlight and WebClips in combination with social engineering and fake websites drives many of the victims to ruin.
Sophos has published a new report “ CryptoRom Swindlers Continue to Target Vulnerable iPhone/Android Users ” about the internationally widespread cryptocurrency scam CryptoRom. This scam targets iPhone and Android users using popular dating apps like Bumble and Tinder. As the report shows, victims' accounts were frozen as soon as they attempted to withdraw their investments from the fake platform. In addition, they were sometimes charged hundreds of thousands of euros in so-called “taxes” in order to regain access.
The dating scam
In one case, a victim was charged $625,000 (just under €570,000) to regain access to the $1 million he had invested in a fake crypto trading model. The victim was recommended this “investment” by a person he met on an online dating platform. The dating contact then claimed to have invested some of his own money to increase the joint share to $4 million. The fraudsters then said that the investment made a profit of $3.13 million and that a profit tax of 20 percent ($625,000) was payable. This tax is necessary in order to be able to access the account again and withdraw the money. In reality, neither the co-investment nor the profits were real, and the online “friend” was part of the scam.
“It is extremely worrying that people continue to fall for these criminal schemes, especially as the use of offshore transactions and unregulated cryptocurrency markets mean that victims have no legal protection for the funds they invest,” said Jagadeesh Chandraiah, Security- Expert at SophosLabs. “This is a problem that is here to stay. We need traceability of cryptocurrency transactions, more aggressive warning of users about these scams, and rapid detection and removal of the fake profiles that enable these scams.”
This type of cyber fraud, known as “sha zhu pan” – literally pork platter – is well organized and uses a combination of social engineering and fraudulent financial applications and websites. Victims are ensnared in order to steal their savings. Initially, these scams were focused on the Asian region, but since October 2021 Sophos has registered a global spread.
Misuse of Apple iOS TestFlight and iOS WebClips
The Sophos report highlights some of the fake mobile apps and websites, as well as the social engineering techniques used by malware operators that bypass Apple iOS App Store security reviews to distribute the malware.
Previously, Sophos had determined that CryptoRom's fraudulent applications for iOS devices abused Apple's "Super Signature" distribution scheme and Apple's enterprise application delivery scheme. The experts are now also observing that Apple TestFlight is increasingly being used for criminal activities.
TestFlight is used for limited beta testing of applications before deploying them to the App Store. Email-based distribution does not require an App Store security review, while TestFlight apps distributed via public web links require an initial App Store code review. “Unfortunately, 'TestFlight Signature', like other Apple-supported app distribution systems, is available as a hosted service for alternative iOS app delivery. This makes misuse easy for malware authors – even with CryptoRom,” says Chandraiah.
Many iPhone users Sophos spoke to who encountered the fraudulent apps were tricked into using another method to bypass the App Store: They were given URLs that serve iOS WebClips. WebClips are mobile device management data that inserts a link to a web page directly into the home screen of the iOS device, making it look like a typical application to less sophisticated users. When examining one of the CryptoRom URLs, Sophos found related IPs that hosted app store-like pages but with different names and icons. The “apps” included one that mimicked the popular Robinhood application as “RobinHand.” The logo is similar to that of Robinhood.
Tricky approach
The cyber gangsters use various methods to build a relationship with their targets without ever meeting them in person. Dating websites and dating applications, as well as other social networking platforms, are used extensively to find new victims. In some cases, seemingly random WhatsApp messages were also initiated in which the scammers offered recipients investment and trading tips, including links to CryptoRom websites. Often these messages contained promises of large financial gains. It is likely that criminals obtain their targets' contact information either through their own social media accounts or through compromised websites.
CryptoRom scams thrive by combining social engineering, cryptocurrency and fake applications. The criminals are well organized and skilled at identifying and exploiting victims based on their situation, interests and technical skills.
More details on these scams can be found in the new Sophos report by Jagadeesh Chandraiah, security expert at SophosLabs
Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )