Social engineering attacks have been using romantic traps and cryptocurrency tricks to lure victims into installing duplicate apps. These attacks use legitimate iOS features like TestFlight and Web Clips to get into the system.
Sophos, a cybersecurity company, has called the attacks “CryptoRom, and a global level attack.
“This style of cyber-fraud, known as sha zhu pan (杀猪盘) — literally ‘pig butchering plate’ — is a well-organized, syndicated scam operation that uses a combination of often romance-centered social engineering and fraudulent financial applications and websites to ensnare victims and steal their savings after gaining their confidence,” Sophos analyst Jagadeesh Chandraiah said in a report published last week.
The attacks initially target the victims through dating apps like Bumble, Tinder, Facebook Dating and Grindr. After the initial step, the chat moves to message
apps such as WhatsApp and goading the victims to install a cryptocurrency trading application designed to imitate popular brands and lock people out of their accounts and freeze their funds.
Earlier variants of the attack, occurring in October 2021, leveraged similar App store pages to trick people into installing duplicate iOS apps. The attacks also used Apple’s Developer Enterprise Program to plant sketchy mobile provisioning profiles to spread the malware.
The latest attack reported by Sophos uses Apple’s TestFlight beta testing framework and a device management feature called Web Clips that leads URLs to specific web pages to be placed on the home screen of users’ iOS devices just like any other application.
After installation, the attackers assure individuals huge returns if they invest while manipulating the numbers on the duplicate app to “reinforce the con” and lead the victims into believing that “they are making money” through the platform.
“The scam doesn’t end with just fooling victims into investing,” Chandraiah elaborated. “When victims try to withdraw funds from their big ‘profit,’ the crooks use the app to inform them that they need to pay a ‘tax’ of 20% of their profits before funds can be withdrawn — and threaten that all their investments will be confiscated by tax authorities if they do not pay.”