Love at the price of cryptocurrency scams

By Joon Hoong Wong, Country Manager, Sophos Malaysia

The Royal Malaysia Police recently reported that there were 98,607 instances of online fraud between 2017 and 2021 totalling RM3.3 billion. According to this report, love scams are one of the leading ways Malaysians are tricked out of handing over their money.

Given this, it is no surprise that Sophos, as a global cybersecurity leader, has discovered new insight in the art of romance swindle involving an international cryptocurrency trading scam called, CryptoRom. The new research by Jagadeesh Chandraiah, senior threat researcher, SophosLabs is based on first-hand accounts shared with Sophos by victims of the scam, which targets iPhone and Android users through popular dating apps, such as Bumble and Tinder.

Criminals adopt a fake online identity to gain a victim’s affection and trust. After getting them to fall in love via these dating and social media sites, the criminals will persuade them into jointly “investing” in cryptocurrencies, on fake popular trading apps. Furthermore, when victims try to withdraw their investments from these fake trading schemes, their accounts were frozen and they were charged up to hundreds of thousands of dollars in fake “profit tax” to regain access.

Here’s the download on some of these fraudulent mobile apps and websites, as well as the social engineering techniques used by malware operators, including a new type of abuse leveraging Apple iOS’s software distribution to bypass the App Store’s security screening.

Misusing Apple’s TestFlight feature

Sophos has identified that Apple’s TestFlight is being abused by CryptoRom authors. This feature is used for testing the “beta” version of applications before they are submitted to the App Store for distribution. Apple supports the use of TestFlight app distribution in two ways: for smaller internal application tests are sent out by up to 100 users via email invitation, and larger public beta tests supporting up to 10,000 users. The smaller email-based distribution approach requires no App Store security review, while TestFlight apps shared by public web links require an initial review of code built by the App Store.

Unfortunately, just as Sophos has seen happen with other alternative app distribution schemes supported by Apple, “TestFlight Signature” is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse.

Some of the victims who contacted Sophos reported that they had been instructed to install what appeared to be BTCBOX, an app for a Japanese cryptocurrency exchange. We also found fake sites that posed as the cryptocurrency mining firm BitFury peddling fake apps through Test Flight. No surprise, these apps for both Android and iOS were distributed through a fraudulent website.

BTCBOX has warned users of fake websites

iOS WebClips, Changing Icons and Websites

The majority of the iPhone users also reported that they were lured with another approach to bypassing the App Store: they were sent URLs serving iOS WebClips. WebClips are a mobile device management payload that adds a link to a web page directly to the iOS device’s home screen making it look like a typical application, duping the users.

While investigating one of the CryptoRom URLs, Jagadeesh and the SophosLabs team found related IPs that were hosting App store lookalike pages with a similar template, but with varying names and icons. The “apps” included one that mimics the popular Robinhood trading application, called ‘RobinHand.’

In addition to App store pages, all these fake pages also had linked websites with similar templates to convince users-different brands and icons, but similar web content and structure. This is probably done to quickly move on from one cryptocurrency brand to another when they get blocked or found out.

Images show copying of well-known cryptocurrency, trading and exchange platforms with web templates where they change only icon, URL, and brand name.

As for the Android versions of these fake apps, the trend of using easy, low effort app development tools continues. Most of the CryptoRom-connected Android apps we have seen are essentially wrapped web applications with minimal code that connects to suspicious URLs.

Gaining trust, ruining lives

These scams use a number of approaches to build a relationship with their targets without ever meeting them face to face instead of using dating sites and apps, as well as other social networking platforms, to find new victims. Sometimes, they were initiated through offering seemingly random WhatsApp messages the users investment and trading tips, including links to CryptoRom site URLs. Often these messages included promises of huge financial returns.

Because the fake apps targets are directed to mimic popular brands, the targets are often convinced that they are transacting with legitimate companies. But the most important factor in these scams, based on online conversations, appears to be that the criminals allow targets to initially make withdrawals from the fake accounts after taking “profits.” Victims are allowed to withdraw their initial investment as a confidence-building measure, but then the fake romantic partner or “friend” urges the victim to reinvest even more for a big event. To sweeten the pot, they even offer to “lend” the target a huge sum to increase the investment; since they control the back-end of the app, they can inject fake deposits on accounts and create imaginary profits at will.

The scam doesn’t end with just fooling victims into investing. When victims try to withdraw funds from their big “profit,” the scammers use the app to inform them that they need to pay a “tax” of 20% of their profits before funds can be withdrawn-and threaten that all their investments will confiscated by tax authorities if they do not pay.

Preventing Bad Romance Online

These scams are well-organised and skilled in identifying and exploiting vulnerable users. As such, here are some of Sophos’s top tips to help you stay clear of online scammers:

  • Take your time when “dating site” talks turns from friendship to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. The other person could simply have read your various online profiles carefully in advance.
  • Never give administrative control of your phone to someone with no genuine reason to have it. Never click [Trust] on a dialogue that asks you to enrol in remote management unless it’s from your employer, and your employer manages or owns the device.
  • Don’t be fooled by circumstances that imply approval from Apple. The fact that an app is registered with TestFlight doesn’t mean it’s officially vetted and approved by Apple. In fact, it’s the opposite: TestFlight apps aren’t in the App Store yet, because they’re still being developed and could contain bugs, accidentally or deliberately.
  • Don’t be deceived by messaging inside the app itself. Don’t let icons, names and text messages inside an app trick you into assuming it has the credibility it claims.
  • Listen openly to your friends and family if they try to warn you. Criminals who use dating apps and friendships as a lure will try to deliberately set you against your family as part of their scams.

Leave a Comment