Gallagher discovered that the website that the scammers used to spread their malicious apps was set up to pose as a real Japanese financial company and had a .com domain. It even showed up on Google as one of the top results, Gallagher said, so victims could find it if they tried to do some basic research. “For those who are not particularly versed in these things, this part will be quite convincing,” says Gallagher.
The attackers, who Sophos suspects are based in Hong Kong, have developed apps for Windows, Android and iOS based on a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused for fraud. As part of joining the platform, victims were required to disclose personal details, including taxpayer identification numbers and photographs of identification documents, and then begin transferring cash to their account.
As is often the case with a wide range of fraudulent activities, the attackers distributed their iOS application using a compromised certificate for Apple’s enterprise device management program. Sophos researchers recently found applications related to butchering pigs However, this bypassed Apple’s protections and infiltrated the company’s official app store.
The second scam followed by Gallagher appears to have been orchestrated by a Chinese crime syndicate from Cambodia. Circuit technology was less slick and impressive, but still extensive. The group launched a fake cryptocurrency trading app on Android and iOS that posed as legitimate market tracking service TradingView. But the scheme had a far more advanced and sophisticated social engineering tool to lure victims into feeling like they were in a real relationship with the scammer by inviting them to invest money.
“It starts like this: ‘Hey Jane, are you still in Boston?’ so I said, “Sorry, wrong number,” and we had a standard exchange from there,” says Gallagher. The conversation began in SMS, and then moved to Telegram.
The character claimed to be a Malaysian woman living in Vancouver, British Columbia. She said she was in the wine business and sent in a photo of herself standing outside a bar, even though the bar mostly stocked spirits, not wine. Gallagher was eventually able to identify the bar in the photo as a bar at the Rosewood Hotel in Phnom Penh, Cambodia’s capital.
When asked, Gallagher once again said that he was a cybersecurity threat researcher, but this did not stop the scammer. He added that his company has an office in Vancouver and repeatedly tried to offer to meet in person. However, the scammers were committed to the ruse, and Gallagher received several audio and video messages from the woman in the photograph. In the end, he even spoke to her via video link.
“Her command of English was pretty good, she was in a very inconspicuous place, it was like a room with acoustic panels on the walls, something like an office or a conference room,” says Gallagher. “She told me she was at home and our conversation quickly turned to whether I was going to do high-frequency crypto trading with them.”
Cryptocurrency wallets linked to the scam received about $500,000 from victims in one month, according to Sophos monitoring.
Researchers have reported their findings on both scams to relevant cryptocurrency platforms, tech companies, and global cybersecurity response teams, but both operations are still active and can continually create new infrastructure when their apps or wallets go down.
Sophos edits all images of people involved in both scams in its reports because attacks on butchering pigs are often carried out using forced labor, and participants can work against their will. What is most sinister about these attacks, Gallagher says, is that their evolution and growth means more forced labor than financially devastated and devastated victims. However, as law enforcement agencies around the world grapple with the threat, detailed insights into the mechanics of schemes show how they work and how slippery and adaptive they can be.