Sophos, a computer security company, has dubbed CryptoRom a campaign because of the strange combination of two elements: cryptocurrency scams and dating apps. A new report released on Wednesday, October 13, highlights sophisticated usurpation techniques, especially based on pseudo-infected applications.
According to various victim cases studied by Sophos, hackers involved in such scams often go through dating programs such as Grindr, Tinder or even Bumble. The first connection is established between the scammer and the target, during which the hacker first tries to transfer the conversation to a messaging application such as WhatsApp. Then, during the exchange, fraudsters try to convince their victims to set up an application to invest in cryptocurrencies. This is where scams thrive.
In fact, most of the victims identified by Sophos used an iPhone, which significantly limited the risk of downloading infected apps when the Apple phone ecosystem was expected to be more closed. The company uses apps that allow or not allow developers to distribute their apps in the App Store (iOS app store). In principle, therefore, it is not possible to install software without going through this platform, which analyzes distributed applications so that it does not contain any viruses, unless it “breaks” the operating system of an iPhone.
However, the hackers who carried out these scams used several methods to deceive these protection measures and to “sign” malware, that is, to ensure their recognition by iOS, and thus get permission to install them there.
One of these methods, called Super Signature, involves the exploitation and hijacking of an application test program offered by Apple to allow the installation of unapproved software on a small number of devices. The second, which works in a somewhat similar way, is based on certificates that can be used to install an application on more than one device at a time. According to Sophos, there are signature trading services that hackers can buy to install fake apps on the iPhone. Once these signatures are obtained, it remains to redirect the victims of the scam to a website that disguises itself as the App Store and to encourage them to download fake investment applications.
Victims in France
The company notes in its report that the range of fraudsters using these methods is much wider than previously estimated. In its first edition in May, Sophos estimated that the victims were mostly in Asia, but since then it has found targets in Europe, especially in France, Hungary and the UK, and in the US. The campaign identified by Sophos is profitable: one of the bitcoin wallets used by hackers received about $ 1.4 million in shares.
Fake applications, once installed, can for some turn into a real trading and investment program dedicated to cryptocurrencies, but also to Forex or more traditional stock transactions. Victims who push to make the first payment are deceived by the first profit they can get in cash. Scammers then encourage them to gamble larger amounts that will never be taken back.