CryptoRom Bitcoin swindlers – what to look out for
Article by Sophos global solutions engineer Aaron Bugal.
Since the pandemic began, there has been a concerning surge in crypto and investment related scams in Australia, in particular, a spike in dating and romance scams.
According to ASIC, financial scams in Australia reportedly doubled in 2021, with 3,400 reports received about dating and romance scams. In addition, The Australian Competition and Consumer Commission (ACCC) has said losses to romance related scams were likely far higher than the AUD$56 million reported last year. So, with criminals looking for new ways to reach their victims, romance scams are a huge concern.
CryptoRom Bitcoin swindlers are targeting vulnerable iPhone and Android users. Criminals have been using dating sites and applications, as well as other social networking platforms to find new victims.
Unfortunately, Abuse of iOS TestFlight, along with social engineering and lookalike web pages has led to CryptoRom Bitcoin Swindlers double dipping into Australians’ pockets.
iOS TestFlight Signature abuse
TestFlight Signature is available as a hosted service for alternative iOS app deployment, making it all too simple for malware authors to abuse. These third-party services are extensively abused by CryptoRom authors.
TestFlight is used for testing the “beta” version of applications before they are submitted to the App Store for distribution. Apple supports use of TestFlight app distribution in two ways: for smaller internal application tests sent out by up to 100 users by email invitation, and larger public beta tests supporting up to 10,000 users. The smaller email-based distribution approach requires no App Store security review, while TestFlight apps shared by public web links require an initial review of code builds by the App Store.
Apps for both Android and iOS are being distributed through fraudulent websites, with the iOS version of fake applications using TestFlight to deploy to victims’ devices. However, cybercriminals design fraudulent apps to mimic popular ones to convince users they are transacting with legitimate apps.
This style of cyber fraud is a well organised, syndicated scam operation that uses social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their trust.
iOS WebClips, changing Icons and Websites
Many of the iPhone users that have encountered these fraudulent apps were lured with another approach to bypassing the App Store. They were sent URLs serving iOS Webclips, a mobile device management payload that adds a link to a web page directly to the iOS device’s home screen, making it look like a typical application.
Cybercriminals use related IPs to host App Store lookalikes with a similar template to legitimate apps, but with varying names and icons. For example, there is a fraudulent version of the popular Robinhood trading application, called “RobinHand”, which has a similar logo to Robinhood.
The financial apps used in a CryptoRom scam are completely fraudulent. While the apps often allow people to “invest”—some show excellent returns being made on initial investment and allow some users to withdraw “earnings”—this is just a technique to boost confidence. By doing this, it entices people to put more and more money in, disabling them from withdrawing any “earnings”.
CryptoRom victims are generally desperate to get their money back, however victims need to be careful in doing so. There have been several fake recovery services that have been targeting CryptoRom victims specifically. It is important to note that these services can be directed at victims using responses in discussion groups and across social media.
In some cases, Australians have lost their entire savings and even took out loans with the hope that they will get their money back. Although some recognised the scam before being drawn into it too deeply, it is important that more reports, and information is brought in front of the public eye.
CryptoRom scams continue to flourish through the combination of social engineering, cryptocurrency, and fake applications. If you have been the victim of a crypto scam, the best approach is to take time to think about your next steps, take care seeking help through the web and contact local and national law enforcement for assistance.
The only long-term fix to prevent these scams is awareness and a collective response.