‘Crypto-Rom’ Scam Makes $1.4m Through Using Apple Enterprise Features!

‘Crypto-Rom’ Scam Makes $1.4m Through Using Apple Enterprise Features!

‘Pyramid-scheme’ cryptocurrency scammers are exploiting Apple’s Enterprise Developer Program to get phoney trading apps onto their target’s iPhones. So far, so good: They’ve stolen at least $1.4m so far.

The campaign, which uses the Apple Developer Program & Enterprise Signatures to get past Apple’s app review process, remains active.

Investment Opportunity

That’s according to Sophos Labs, which observed it on dating sites.

“They strike up a friendship, using the dating game as a ruse, but then quickly move to money, this time in the guise of them doing you a big favour by offering you a chance to join an ‘unbeatable’ investment opportunity,” researchers said in a Wed.  posting.

That investment opportunity involves cryptocurrency trading, with the offer to invest money into crypto coins in order to reap big profits. To lend a shell of legitimacy, the crooks offer an “official” iPhone app, supposedly approved by Apple.

The App Store

“The App Store, like Google’s Play Store equivalent for Android, is by no means immune to malware, fleeceware & other badware apps,” Sophos researchers pointed out. “But totally bogus cryptocurrency trading apps, based on totally bogus trading platforms, rarely make it through.”

Instead, the scammers are using a ‘loophole’ that allows enterprise mobile device management (MDM) programs to control corporate-owned iOS devices, according to Sophos’ analysis, via Apple’s Enterprise Developer program – specifically, the Apple Enterprise/Corporate Signature feature.

Lock Codes

As the firm explained in its report: “Companies who enrol staff devices into Apple’s remote management system by means of…an MDM profile…can remotely wipe devices, unilaterally or on request, block access to company data, enforce specific security settings such as lock codes & lock timeouts…& (this is the feature the crooks are after!) they can install bespoke corporate apps intended for employees only.”

The confidence aspect of the scam involves convincing the target, who has been cultivated via a dating site, to allow the crook to enrol the device into “the program,” which is really an MDM that’s compatible with Apple’s platform. Then comes installation of the supposed cryptocurrency-related app, which is a fake version of the Bitfinex cryptocurrency trading application.

iPhone

“The crooks persuade you, for example on the basis of a friendship carefully cultivated via a dating site, into giving them the same sort of administrative power over your iPhone that is usually reserved for companies managing corporate-owned devices,” researchers noted.

The app is, of course, ‘made of lies & misery’.

“There’s no trading platform behind it; your ‘investments’ aren’t used to buy any sort of cryptocurrency, not even a volatile or little-known one,” according to Sophos.

“Any ‘trades’ & ‘profits’ reported by the app are imaginary; if you are ever allowed to withdraw any of your ‘profits’ in order to build up trust, the crooks will simply give you a tiny bit of your own money back; & when you want to cash out your ‘investment,’ you realise that it’s all smoke & mirrors.”

Signature for Scamming

The technological underpinning of the scam involves the Apple Enterprise Signature feature, says the Sophos’ investigation.

“Apple’s Enterprise Signature program can be used to distribute apps without Apple App Store reviews, using an Enterprise Signature profile & a certificate,” researchers explained.

“Apps signed with Enterprise certificates should be distributed within the organisation for employees or application testers & should not be used for distributing apps to consumers…so apps do not have to be submitted to the Apple App Store for review.”

Enterprise Certificate

Regarding these “crypto-rom” gambits, Apple’s Enterprise provisioning system is an Achilles heel on the Apple platform. The iOS-using mark is asked to visit a scammer-controlled site, where an MDM profile is downloaded to their device. This is signed with an Enterprise certificate that helps convince the user that everything is Apple-approved.

The user is asked to trust the profile, after which the server prompts the user to install the bogus app from a page that looks like Apple’s App Store, complete with fake reviews.

Apple Signatures

Sophos noted that the abuse of the program in this way is made worse by the rise of 3rd-party commercial services which offer Enterprise Signature certificate distribution, including unscrupulous outfits that highlight the ability to evade App Store review.

“There are several commercial services selling Apple signatures for apps that can be purchased for a couple of 100 dollars,” according to Sophos researchers.

“There are different versions of signatures: Stable versions which are expensive & less stable ones that are cheaper. The cheaper version is probably preferred by the crooks as it is easy to rotate to a new one when the old signature gets noticed & blocked by Apple.”

Targeted Scams

Apple has cracked down on the use of Enterprise certificates for distributing apps to consumers, Sophos noted, but the scammers appear to be moving towards more targeted scams that may be harder for Apple to find.

“In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” researchers noted.

Crypto-Scams & Certificate Fraud

This particular scam campaign remains active, Sophos warned, with new victims becoming embroiled in it every day. Also, it should be noted that in general, romance scams remain the most successful fraud strategy for cybercrooks & represent a growing sector, according to the US Federal Trade Commission.

Last year, romance schemes accounted for a record $30m, according to new data – up about 50% from 2019.

Best Practices

With really no chance of recouping any losses from these efforts, Sophos offered the following best practices for protecting oneself:

  • Take your time when “dating site” talk turns from friendship, love, or romance to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. The other person could simply have read your various online profiles carefully in advance.
  • Never give administrative control over your phone to someone with no genuine reason to have it.
  • Never click [Trust] on a dialog that asks you to enrol in remote management unless it’s from someone you already have an employment contract with, the conditions have been clearly explained to you in advance, & you understand and accept the reasons for enrolling your phone.
  • Don’t be fooled by app descriptions that claim approval from Apple, & vet the reviews carefully.
  • Listen openly to friends & family if they try to issue a warning. Criminals who use romance or dating as a lure think nothing of deliberately setting victims against their families as part of their scams.

Devastating Effect

“While institutions dealing with cryptocurrency have started implementing know your customer rules, the lack of wider regulation of cryptocurrency will continue to draw criminal enterprises to these sorts of schemes & make it extremely difficult for victims of fraud to get their money back,” warned Sophos researchers.

“These scams can have a devastating effect on the lives of their victims.”

https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/

SHARE ARTICLE