by Paul Ducklin
Sadly, we’ve needed to write and warn about romance scams and romance scammers many times in recent years.
Indeed, in February 2021 we published an article entitled Romance scams at all-time high: here’s what you need to know, following a report from the US Federal Trade Commission (FTC), America’s official consumer protection watchdog, warning that romance scammers are making more money than ever before.
Victims in the US were tricked out of more than $300 million in 2020, up from $200 million in 2019.
Conventional romance scams are what we often refer to as “long game” confidence tricks, where someone you meet online, typically on a dating site, manages to convince you: [a] that they’re a real person with the life history they claim; [b] that they’re love with you; and, most importantly of all, [c] that you are in love with them.
After weeks, perhaps months, of careful ground work, the illusory lover turns the talk towards money, and gradually convinces you to part with more and more of it, thanks to an ever-evolving series of ruses, abuses and excuses that practised cyberscammers can sometimes maintain for weeks, months or even years.
They still use dating sites to select, stalk and groom their victims, but instead of investing weeks or months progressing from friendship, through love, romance and perhaps even fraudulent betrothal, to the “fleecing” phase…
…they strike up a friendship, using the dating game as a ruse, but then quickly move to money, this time in the guise of them doing you a big favour by offering you a chance to join an “unbeatable” investment opportunity.
As you can imagine, the “investment” that they propose typically involves cryptocoins, but to add a veneer of legitimacy, these cryptorom crooks, as we’ve dubbed them (crypto- from “cryptocurrency” and -rom from “romance scam”), invite you to install an “official” app in order to join the scheme.
All those dubious excuses needed by traditional romance scammers to talk you into using wire transfer services to send money, or into buying them gift cards and sending through the redemption codes, are replaced by a sense of structure: there’s a genuine app for this investment!
In fact, the cryptorom scammers will even offer you an app if you have an iPhone, where Apple’s “walled garden” approach of requiring all consumer app downloads to come from the Apple App Store almost certainly persuades many victims that the cryptorom app must indeed have some sort of official authorisation or approval.
But totally bogus cryptocurrency trading apps, based on totally bogus trading platforms, rarely make it through. (Generally speaking, trading apps and platforms are supposed to comply with a whole bunch of regulations in additional to Apple’s own.)
So these crooks bypass the App Store entirely, using a series of tricks explained in a new SophosLabs research report entitled CryptoRom fake iOS cryptocurrency apps hit US, European victims for at least $1.4 million.
The technological basis for these scam apps is surprisingly simple: the crooks persuade you, for example on the basis of a friendship carefully cultivated via a dating site, into giving them the same sort of administrative power over your iPhone that is usually reserved for companies managing corporate-owned devices.
Companies who enrol staff devices into Apple’s remote management system, by means of what’s known as an MDM (mobile device management) profile, do so in order to take an active role in the protection, monitoring and control of those devices.
Typically, they can remotely wipe them, unilaterally or on request, block access to company data, enforce specific security settings such as lock codes and lock timeouts…
…and (this is the feature the crooks are after!) they can install bespoke corporate apps intended for employees only.
This “loophole” allows companies to bypass the App Store for proprietary apps that aren’t supposed to be available for anyone to download.
So, the cryptorom crooks exploit this Enterprise Provisioning feature by tricking you into treating them as if they were your employer, and as if they had a reasonable need or right to exercise almost complete control over your device.
In one fraudulent app deployment process that SophosLabs investigated, the criminals even used the “Description” field in the their fake app to claim that their off-market software was “authorised by Apple to be safe and reliable”:
Of course, the app isn’t a trading program at all.
There’s no trading platform behind it; your “investments” aren’t used to buy any sort of cryptocurrency, not even a volatile or little-known one; any “trades” and “profits” reported by the app are imaginary; if you are ever allowed to withdraw any of your “profits” in order to built up trust, the crooks will simply give you a tiny bit of your own money back; and when you want to cash out your “investment”…
…you realise that it’s all smoke and mirrors, what’s known in the jargon as a pyramid or Ponzi scheme.
[Trust]on a dialog that asks you to enrol in remote management unless it’s from someone you already have an employment contract with who, the conditions have been clearly explained to you in advance, and you understand and accept the reasons for enrolling your phone.
YOU MIGHT ALSO LIKE: