A game worth millions: CryptoRom fraudsters ruin unsuspecting users with sophisticated social engineering. The misuse of iOS TestFlight and WebClips in combination with social engineering and fake websites drives many victims to ruin.
Sophos has a new report “CryptoRom Swindlers Continue to Target Vulnerable iPhone/Android Users” about the internationally widespread cryptocurrency scam CryptoRom. This scam targets iPhone and Android users using popular dating apps like Bumble and Tinder. As the report shows, victims' accounts were frozen as soon as they attempted to withdraw their investments from the fake platform. In addition, they were sometimes charged hundreds of thousands of euros in so-called “taxes” in order to regain access.
The dating scam
Dating contacts recommend fake investments with high profits.
In one instance, a victim was charged $625.000 to regain access to the $570.000 million they had invested in a fake crypto trading model. This “invest” was recommended to the victim by a person he had met on an online dating platform. The dating contact then claimed to have invested some of their own money to bring the joint stake to $1 million. The scammers then said there was a profit of $4 million on the investment and a profit tax of 3,13 percent ($20) was payable. This tax is necessary in order to be able to access the account again and withdraw the money. In reality, neither the co-investment nor the profits were real, and the online "friend" was part of the scam.
Investment tips via dating chat
"It is extremely worrying that people continue to fall for these criminal schemes, especially as the use of cross-border transactions and unregulated cryptocurrency markets mean victims lack legal protection for the funds they invest," said Jagadeesh Chandraiah, Security- Expert at SophosLabs. “This is a problem that will remain. We need traceability of cryptocurrency transactions, more aggressive warning of users about these scams, and rapid detection and removal of the fake profiles that enable these scams.”
Known as "sha zhu pan" - literally pork platter - this type of cyber scam is well organized and uses a combination of social engineering and deceptive financial applications and websites. Victims are ensnared to steal their savings. Initially, these scams were concentrated in Asia, but since October 2021 Sophos has registered a global spread.
Abuse of Apple iOS TestFlight and iOS WebClips
Android and iOS apps were distributed via a deceptive website. The iOS version of the fake application used TestFlight to deploy it to victims' devices (Image: Sophos).
The Sophos report highlights some of the fake mobile apps and websites, as well as the social engineering techniques used by the malware operators that bypass the Apple iOS App Store security check to distribute the malware.
Sophos previously found that CryptoRom's rogue applications for iOS devices abused Apple's “Super Signature” distribution scheme and Apple's enterprise application delivery scheme. Now the experts are also observing that Apple TestFlight is increasingly being used for criminal activities.
Lack of security clearance makes it easier
TestFlight is used for limited beta testing of applications before they are deployed to the App Store. Email-based distribution does not require a security review by the App Store, while TestFlight apps distributed via public web links require an initial code review by the App Store. “Unfortunately, 'TestFlight Signature', like other Apple-supported app distribution systems, is available as a hosted service for alternative iOS app delivery. This makes it easy for malware authors to abuse it—even with CryptoRom,” says Chandraiah.
Many iPhone users that Sophos spoke to and who encountered the rogue apps were tricked into another App Store bypass method: they were given URLs serving iOS WebClips. WebClips are mobile device management data that inserts a link to a webpage directly into the iOS device's home screen, making it look like a typical application to less-savvy users. Examining one of the CryptoRom URLs, Sophos found related IPs hosting app store-like pages but with different names and icons. The "apps" included one that mimics the popular Robinhood application as "RobinHand." The logo is similar to that of Robinhood.
Tricky approach
The cyber gangsters use various methods to establish a relationship with their targets without ever meeting them in person. Dating websites and dating applications, as well as other social networking platforms, are used extensively to find new victims. In some cases, seemingly random WhatsApp messages were also initiated in which scammers offered recipients investment and trading tips, including links to CryptoRom websites. Often these messages contained promises of large financial gains. It is suspected that the criminals obtain their targets' contact information either from their own social media accounts or from compromised websites.
CryptoRom scams continue to flourish
CryptoRom scams thrive on a combination of social engineering, cryptocurrency, and bogus applications. The criminals are well-organized and adept at identifying and exploiting victims based on their situation, interests, and technical skills.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.