NEW DELHI: As part of a wide ranging global scam, hackers are now targeting dating apps like Tinder, Grindr, Facebook Dating and Bumble to social-engineer victims into installing fake cryptocurrency apps on iPhone and Android. Interpol has also issued a notice to its 194 member countries outlining the specific modus operandi of how these scamsters operate on dating applications.
Researchers at cybersecurity firm Sophos Labs have unearthed that victims have been defrauded of at least $1.4 million by this crypto romance ( CryptoRom). In most cases, the scamsters have asked victims to transfer money by buying cryptocurrency through the Binance app and then to a fake trading application. This is done to avoid the tracing of funds to its destination and recuperation .
These fraudulent applications are aimed at exploiting the increased interest in trading apps, driven by the recent rise in the value of cryptocurrencies and interest in low-cost trading driven by stories like that of GameStock.
How does this work?
Under the CryptoRom scam, hackers target vulnerable people—particularly those who are looking for potential romantic partners through fake profiles on dating apps and social media platforms.
The victims are first contacted through their dating app account. After the scammer gains their trust, they coax the victim to move the conversation to messaging services like Whatsapp. They avoid requests for face-to-face meetings, citing the pandemic. Once the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support. They move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait. After this, they will be told to buy various financial products or asked to invest in a big, high profit investment opportunity.
The hacker even lends some money into the fake app to build trust and make the victim believe they’re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account and the hacker removes all their money from the account.
Since these fake applications impersonate well-known apps from all over the world, the fraud is that more believable. “As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.One day, however, all contact stops and victims are locked out of the account. They’re left confused, hurt, and worried that they’ll never see their money again,” warned Interpol.
In some cases, the victims are lured to websites designed to look like those belonging to legitimate companies. “These websites forwarded victims to third-party sites that delivered iOS mobile applications via configuration management schemes, iOS mobile device management payloads carrying “Web Clips”, or Android apps depending on the device used,” said the researchers.
How much money have people lost?
One such victim lost $87000, while another lost $45000 to a scammer who contacted them through Facebook, and another lost $25000 after being scammed by someone who contacted through Grindr. In the latter case, the victim made an initial deposit, transferred money to a Binance app from their bank and then to crooks; they were then asked to deposit more funds in order to withdraw their money. None of these victims have gotten their money back. In another instance, a victim had sent over $1.39 million dollars to the fake bitcoin site.
They also gain access to your phone:
Apart from stealing money, the attackers also gain access to victims’ iPhones, where the cybercriminals leverage “Enterprise Signature,” which is a system for software developers to pre-test new iOS applications with selected iPhone users before they are submitted to the official Apple App Store for review and approval.
With the Enterprise Signature system, attackers get access to larger groups of iPhone users with their fake crypto-trading apps and gain remote management control over their devices. So apart from stealing money from victims, they also get to collect personal data and install malicious apps.
“When an iOS device user visits one of the sites used by these scams, a new profile gets downloaded to their device. Instead of a normal ad hoc profile, it is an MDM provisioning profile signed with an Enterprise certificate that is downloaded. The user is asked to trust the profile and, after they do that, the crooks can manage their device depending on the profile contents,” writes Jagadeesh Chandraiah, a senior threat researcher at Sophos.
Where are these victims located?
The Sophos team found that most of the scam’s victims are iPhone users based in the United States, Asia and Europe.
When Sophos had first released its report in May, they had discovered that most of the victims were only in Asia and its perpetrators used Apple’s ad-hoc Super Signature distribution scheme to target iOS device users.
“As we expanded our search based on user-provided data and additional threat hunting, we also witnessed malicious apps tied to these scams on iOS leveraging configuration profiles that abuse Apple’s Enterprise Signature distribution scheme to target victims…Until recently, the criminal operators mainly distributed the fake crypto apps through fake websites that resemble a trusted bank or the Apple App Store. The addition of the iOS enterprise developer system introduces further risk for victims because they could be handing the attackers the rights to their device and the ability to steal their personal data,” Chandraiah said.
How can I avoid falling prey to such scams?
1.To avoid falling prey to such malicious apps, people should only install apps from trusted sources such as Google Play and Apple’s app store.
2. Users should also verify if the app was developed by its genuine developer.
3. One should also install an antivirus app on the mobile device, which can then protect the phone from such threats.
4. Be skeptical: online investments with promises of fast, amazing returns are often too good to be true
5. Do your due diligence: check reviews, double check the app, the domain name, the email address
6. Don’t disclose personal/confidential information at any cost
“In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” added Zinran Wu, another analyst at Sophos.
Researchers at cybersecurity firm Sophos Labs have unearthed that victims have been defrauded of at least $1.4 million by this crypto romance ( CryptoRom). In most cases, the scamsters have asked victims to transfer money by buying cryptocurrency through the Binance app and then to a fake trading application. This is done to avoid the tracing of funds to its destination and recuperation .
These fraudulent applications are aimed at exploiting the increased interest in trading apps, driven by the recent rise in the value of cryptocurrencies and interest in low-cost trading driven by stories like that of GameStock.
How does this work?
Under the CryptoRom scam, hackers target vulnerable people—particularly those who are looking for potential romantic partners through fake profiles on dating apps and social media platforms.
The victims are first contacted through their dating app account. After the scammer gains their trust, they coax the victim to move the conversation to messaging services like Whatsapp. They avoid requests for face-to-face meetings, citing the pandemic. Once the victim becomes familiar, they ask them to install fake trading applications with legitimate looking domains and customer support. They move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait. After this, they will be told to buy various financial products or asked to invest in a big, high profit investment opportunity.
The hacker even lends some money into the fake app to build trust and make the victim believe they’re real and caring. When the victim wants their money back or gets suspicious, they get locked out of the account and the hacker removes all their money from the account.
Since these fake applications impersonate well-known apps from all over the world, the fraud is that more believable. “As is often the case with such fraud schemes, everything is made to look legitimate. Screenshots are provided, domain names are eerily similar to real websites, and customer service agents pretend to help victims choose the right products.One day, however, all contact stops and victims are locked out of the account. They’re left confused, hurt, and worried that they’ll never see their money again,” warned Interpol.
In some cases, the victims are lured to websites designed to look like those belonging to legitimate companies. “These websites forwarded victims to third-party sites that delivered iOS mobile applications via configuration management schemes, iOS mobile device management payloads carrying “Web Clips”, or Android apps depending on the device used,” said the researchers.
How much money have people lost?
One such victim lost $87000, while another lost $45000 to a scammer who contacted them through Facebook, and another lost $25000 after being scammed by someone who contacted through Grindr. In the latter case, the victim made an initial deposit, transferred money to a Binance app from their bank and then to crooks; they were then asked to deposit more funds in order to withdraw their money. None of these victims have gotten their money back. In another instance, a victim had sent over $1.39 million dollars to the fake bitcoin site.
They also gain access to your phone:
Apart from stealing money, the attackers also gain access to victims’ iPhones, where the cybercriminals leverage “Enterprise Signature,” which is a system for software developers to pre-test new iOS applications with selected iPhone users before they are submitted to the official Apple App Store for review and approval.
With the Enterprise Signature system, attackers get access to larger groups of iPhone users with their fake crypto-trading apps and gain remote management control over their devices. So apart from stealing money from victims, they also get to collect personal data and install malicious apps.
“When an iOS device user visits one of the sites used by these scams, a new profile gets downloaded to their device. Instead of a normal ad hoc profile, it is an MDM provisioning profile signed with an Enterprise certificate that is downloaded. The user is asked to trust the profile and, after they do that, the crooks can manage their device depending on the profile contents,” writes Jagadeesh Chandraiah, a senior threat researcher at Sophos.
Where are these victims located?
The Sophos team found that most of the scam’s victims are iPhone users based in the United States, Asia and Europe.
When Sophos had first released its report in May, they had discovered that most of the victims were only in Asia and its perpetrators used Apple’s ad-hoc Super Signature distribution scheme to target iOS device users.
“As we expanded our search based on user-provided data and additional threat hunting, we also witnessed malicious apps tied to these scams on iOS leveraging configuration profiles that abuse Apple’s Enterprise Signature distribution scheme to target victims…Until recently, the criminal operators mainly distributed the fake crypto apps through fake websites that resemble a trusted bank or the Apple App Store. The addition of the iOS enterprise developer system introduces further risk for victims because they could be handing the attackers the rights to their device and the ability to steal their personal data,” Chandraiah said.
How can I avoid falling prey to such scams?
1.To avoid falling prey to such malicious apps, people should only install apps from trusted sources such as Google Play and Apple’s app store.
2. Users should also verify if the app was developed by its genuine developer.
3. One should also install an antivirus app on the mobile device, which can then protect the phone from such threats.
4. Be skeptical: online investments with promises of fast, amazing returns are often too good to be true
5. Do your due diligence: check reviews, double check the app, the domain name, the email address
6. Don’t disclose personal/confidential information at any cost
“In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” added Zinran Wu, another analyst at Sophos.
