Online trading

Beware of fake online trading apps, on iOS and Android – Naked Security

Remember how ransomware started?

It was all about volume.

The CryptoLocker gang, for example, has raked in millions of dollars, maybe even hundreds of millions, by scrambling your files and then extorting $300 from you to unscramble them again.

These days, however, big-money ransomware gangs take a very different approach.

They usually attack businesses one by one, so they can raise similar amounts of money by focusing their attention on one victim at a time, who they then blackmail for hundreds of thousands or millions of dollars each.

Scammers, unfortunately, derive a triple benefit from this approach: they can play their cards closer to their chest; they can squeeze their victims for larger amounts each time; and they can put a lot more effort into each attack.

Lure, love and leech

Romance scammers, who prey on vulnerable people online and lure them into long-term, long-distance relationships that are really just a bunch of lies, are taking a similar approach.

They sort of play the field on dating sites, identifying many possible targets first before targeting those that the scammers see have fallen hardest under their “spell”.

Like modern ransomware gangs, romance scammers have enough operational patience not to scam hundreds of dollars each out of thousands of victims, but hundreds of victims out of hundreds of thousands of dollars each.

They may not aim to target a specific person, but once they have gained a victim’s trust and loyalty, they will focus on that person for as long as the scam continues to operate.

Business scammers love you too

Well, SophosLabs researchers just released a report titled Fake Android and iOS Apps Disguise themselves as Trading and Cryptocurrency Appsand it seems some investment scammers are taking a similar approach.

These commercial scammers make you fall in love with them too, or at least the money they promise you.

After all, if you’ve gone to the trouble of creating an imposter website that looks like a genuine online currency trading business, and a fake app believable enough to pass off as someone else’s brand…

…why spam links to this site or draw attention to your application, so that millions of people who will not be fooled and who will never fall into your evil clutches, can see what you are doing and raise the alarm?

If your app is already in Google Play, you may find it rejected, which means you’ll have to start over.

So why not start “off-market” and turn that into something special, for selected users only, not available on the Play Store, right from the start?

And if your victim has an iPhone, there are no app markets for Apple users other than the App Store, so you have to follow a “you’re smart and special and this app so is it.”

Super Signature Services

Technically, it’s possible to install iPhone apps that aren’t from the App Store, but it’s a complex, closed process designed so developers can test apps before releasing them, or so companies can produce internal applications that are used only inside the organization rather than offered commercially to the public.

So if you’re not a legit software creator but want to create an iPhone app to scam other people, you need someone who will pretend to be the “developer” of your app and make it. will submit for a single signature. at Apple.

Then your victims have to go through special steps where their devices are registered in the “development process” so that their phones are authorized by Apple to run your “special” application.

Apple carefully limits the number of test apps it will sign off for any development team and tracks the number of phones that use these apps, particularly to discourage commercial coders from misusing the process to circumvent the App. Store.

In other words, a scammer who gets into the game of this system really can’t afford to have hundreds of people installing the app but then realizing it’s a scam and getting away with it. by ridding.

Indeed, Apple’s own guidelines warn developers as follows:

You are permitted to register a fixed number of devices per product family per year, and disabling a device in your developer account will not decrease the number of registered devices.

Love comes first, application comes after

So e-commerce scammers who have iPhone users in their sights might as well take the trouble to make potential victims first fall in love with the scam, before tempting them with it. their false applications.

The new report from SophosLabs tells you the fascinating story of how scammers go about it, including:

  • How scammers identify potential victims and lure them into a relationship of trust. (They use social media and dating sites, just like romance scammers.)
  • How scammers get their iPhone apps digitally signed without engaging directly with Apple. (They use online proxy companies, offering what is known in the jargon great signing services to take care of that aspect of things.)
  • How scammers persuade their victims to install fake apps without using the App Store. (They use the same type of provisioning system a company might use with its own employees, essentially “managing” the victim’s phone for them so they can install a “special” app.)
  • How scammers maintain the investment myth once the victim has started making deposits. (They use fake reviews that make the deposits look like they’ve really been made and give the impression that your “investment” can be withdrawn in the future, even if it’s lost forever.)

As if that weren’t enough on its own, one of the scams SophosLabs investigated reminded us, yet again, that cybercriminals are often not very good at cybersecurity themselves.

The criminals’ server had a wide-open repository containing all of the authentic customer data they had collected under the guise of “know your customer” regulations, such as scans of passports, ID cards, driving licenses to drive, etc.

What to do?

  • If it sounds too good to be true, it’s too good to be true. Even if you consider all of your relationships with social networks and dating sites as friends, you have no idea what their motivation is to talk about any investment plan they recommend. As far as you know, they might have already fallen for a scam themselves and unknowingly dragged you after them, or their account might have been hacked.
  • Find your own way to the investment websites you want to research. In these scams, the scammers hope that you won’t check the links they send you too closely, because they are from a “friend” and can therefore trust the links implicitly. But even if a link is from a real friend, they may have made a mistake, so do your own research anyway. (And see point 1 above.)
  • Never install iPhone apps that are not from the App Store unless you know for certain that they were built, tested and delivered by your own employer for a legitimate purpose specific to your business. Be especially suspicious if the person trying to pitch the app to you comes up with a bunch of excuses like “you’re an early adopter so you’re getting the app before it’s released on the app store”, or others big stories that try to justify why they are unable to deliver the app on a regular basis. (And see point 1 above.)