by Paul Ducklin
Remember how ransomware started?
It was all about volume.
The CryptoLocker gang, for example, raked in millions of dollars, perhaps even hundreds of millions, by scrambling your files and then extorting you for $300 to unscramble them again.
These days, however, the big-money ransomware gangs take a very different approach.
They typically go after companies one by one, so they can rake in similar amounts of money by focusing their attention on one victim at a time, whom they then blackmail for hundreds of thousands or millions of dollars each.
The crooks, sadly, get a threefold benefit out of this approach: they get to play their cards closer to their chests; they get to squeeze their victims for bigger amounts each time; and they can put much more effort into each attack. OTHERS STOP AT NOTIFICATION. WE TAKE ACTION Get 24/7 managed threat hunting, detection, and response delivered by Sophos experts Learn more
Lure, love and leech
Romance scammers, who prey on vulnerable people online and lure them into long-term, long-distance relationships that are really just a pack of lies, take a similar approach.
They play the field, as it were, on dating sites, identifying numerous possible targets at first before targeting those victims whom the crooks can see have fallen for their “charms” the hardest.
Like modern ransomware gangs, romance scammers have sufficient operational patience that they aren’t out to scam hundreds of dollars each out of thousands of victims, but to scam hundreds of victims out of hundreds of thousands of dollars each.
They might not set out to target any particular individual up front, but once they’ve won a victim’s trust and loyalty, they’ll focus on that person for as long as the scam keeps working.
Original video here: https://www.youtube.com/watch?v=_nO77xWeO4o
Trading scammers love you, too
Well, Sophos Labs researchers have just published a report entitled Fake Android and iOS apps disguise as trading and cryptocurrency apps, and it seems that some investment scammers are taking a similar sort of approach.
These trading scammers get you to fall in love with them too, or at least with the money they promise you.
After all, if you’ve gone to all the trouble of building an imposter website that looks like a genuine online currency trading business, and a fake app that is believable enough to pass muster as belonging to someone else’s brand…
…why spam out links to that site, or draw attention to your app, so that millions of people who aren’t going to be fooled, and who will never fall into your evil clutches, might see what you are up to and raise the alarm?
If your app’s already in Google Play, you risk having it chucked out, which means you’re then faced with starting over.
So why not start “off market”, and parlay that into something special, for selected users only, not available in the Play Store, right from the start?
And if your victim has an iPhone, there are no app markets for Apple users other than the App Store, so you need to follow a “you’re smart and special and so is this app” approach anyway.
Super Signature services
Technically, it’s possible to install iPhone apps that didn’t come from the App Store, but it’s a complex and closed process designed so that developers can test apps before releasing them, or so that companies can produce in-house apps that are used only inside the organization rather than offered commercially to the public.
So, if you’re not a legitimate software creator but you want to build an iPhone app to scam other people, you need someone who will pretend to be the “developer” of your app, and who will submit it for one-off signing to Apple.
Then, your victims need to jump through special hoops by which their devices get registered into the “development process” so their phones are authorized by Apple to run your “special” app.
Apple carefully limits the number of test apps that it will sign for any development team, and keeps track of the number of phones that are using those apps, specifically to discourage commercial coders from misusing the process as a way of sidestepping the App Store.
In other words, a crook who sets out to game this system really can’t afford to have hundreds of people installing the app but then realizing it’s a scam and getting rid of it.
Indeed, Apple’s own guidelines warn developers as follows:
You’re allowed to register a fixed number of devices per product family per year, and disabling a device in your developer account won’t decrease the count of registered devices.
Love comes first, the app comes later
So, online trading scammers who have iPhone users in their sights might as well take the trouble to get potential victims to fall in love with the scam first, before tempting them with their bogus apps.
The new Sophos Labs report takes you through the fascinating tale of how the crooks do it, including:
- How the crooks identify potential victims and lure them into a trusting relationship. (They use social media and dating sites, just like romance scammers.)
- How the crooks get their iPhone apps digitally signed without engaging directly with Apple. (They use online proxy companies, offering what are known in the jargon as Super Signature services to take care of that side of things.)
- How the crooks talk their victims into installing the fake apps without using the App Store. (They use the same sort of provisioning system that a company might use with its own employees, essentially “managing” the victim’s phone for them so that they can install a “special” app.)
- How the crooks keep the investment myth alive once the victim has started making deposits. (They use fake feedback that make it look as though deposits really went through, and to give the impression that your “investment” can be withdrawn in the future, even though it’s gone for ever.)
As if that isn’t bad enough on its own, one of the scams that Sophos Labs investigated reminded us, yet again, that cyber criminals often aren’t very good at cybersecurity themselves.
The criminals’ server had a wide-open directory that contained all the genuine customer data that they had collected under the guise of “know your customer” regulations, such as scans of passports, ID cards, driving licenses and more.
What to do?
- If it sounds too good to be true, it is too good to be true. Even if you think of all your social media and dating site connections as friends, you have no idea what their motivation is for talking up any investment scheme they recommend. For all you know, they could already have fallen for a scam themselves and be unknowingly dragging you in after them, or their account could have been hacked.
- Find your own way to investment websites you want to investigate. In these scams, the crooks are hoping you won’t check the links they send you too closely because they’re coming from a “friend” and so can trust the links implicitly. But even if a link does come from a true friend, they could have made a mistake, so do your own searches anyway. (And see bullet point #1 above.)
- Never install iPhone apps that don’t come from the App Store unless you know for sure that they were built, tested and delivered by your own employer for a legitimate purpose that’s specific to your business. Be especially wary if the person trying to pitch the app to you comes up with a bunch of excuses such as “you’re an early adopter so you get the app before its release to the App Store”, or other tall stories that try to justify why they are unable to deliver the app in the regular way. (And see bullet point #1 above.)