A recent report released by security firm Sophos states that scammers could swindle $14 million from victims lured into downloading fake cryptocurrency apps using Apple’s Developer Enterprise program. What makes it even more interesting is the CryptoCons used fake profiles on dating apps like Tinder and Bumble to catfish their victims.
The Sophos report noted a prior scam on both Apple and Android devices with most victims coming from Asia. The latest scam, according to Sophos, is worldwide, with iPhone users losing large sums of money.
“In our initial research, we discovered that the crooks behind these applications were targeting iOS users using Apple’s ad hoc distribution method, through distribution operations known as ‘Super Signature services.’ As we expanded our search based on user-provided data and additional threat hunting, we also witnessed malicious apps tied to these scams on iOS leveraging configuration profiles that abuse Apple’s Enterprise Signature distribution scheme to target victims. “
How are CryptoCons doing this?
It was reported that a victim from the UK was scammed out of £63,000 which is roughly $87,000 after they fell in love with one of the CryptoCons. Other stories came out about hackers stealing large amounts of currency many times since this issue was first reported.
Many are wondering how this can happen? First scammers using fake profiles reach out via Tinder, Bumble, and sometimes Facebook and eventually move the often flirtatious conversations to private messaging applications. Once trust is gained, the CryptoCon will mention investing in cryptocurrency, and then if the con is going well, will suggest one of the corrupted fraudulent apps. Once the victim starts depositing large sums of money, they find they cannot withdraw it, and the scammers tell them to invest more or pay a tax.
The scammers have been using Apple’s Enterprise Program, which allows the CryptoCons to circumvent the app store review process and distribute the phony applications.
Sophos wrote in its report, “We have also observed crooks abusing the Apple Enterprise Signature to manage victims’ devices remotely. Apple’s Enterprise Signature program can be used to distribute apps without Apple App Store reviews, using an Enterprise Signature profile and a certificate. Apps signed with Enterprise certificates should be distributed within the organization for employees or application testers, and should not be used for distributing apps to consumers.”
The report also states that the Bitcoin address is associated with this con has received more than $139 million dollars, and that there are likely more addresses involved in this scam. Sophos says that most of the victims are iPhone users who have been tricked into downloading fraudulent mobile device management profiles from fake websites then allowed the iPhone user’s phone to be used as a “managed” device by CryptoCons.