It sounds like the plot of a somewhat far-fetched romcom-slash-thriller Netflix series, maybe billed as You meets Your Place or Mine, dropping just in time for Valentine’s Day.
In it, a pig butchering romance scammer targets her next victim: Sophos’s lead threat researcher. The security biz would probably want us to make very clear that no one was murdered in the course of this research.
And while Netflix probably won’t pick it up for a full series, we have to note the pure stupidity – of cybercrime rings targeting a security firm researcher for their con. And yes, that’s rings – plural; one based in Hong Kong and the latter in Cambodia.
“I was approached by multiple, separate scam operations personally, each running different variations on pig butchering,” Sophos’s principal threat researcher Sean Gallagher wrote in a blog post today about one of these attempts.
Spoiler alert: Gallagher neither loses his entire life savings nor finds his true love in this tale, which won’t cost you a monthly subscription to enjoy.
A Hong Kong-based crew is behind this still-active scam, which uses the MetaTrader 4 application to run a phony gold-trading marketplace. MetaTrader 4 is a legitimate trading app developed by a Russian software company that has been linked to other cryptocurrency scams.
Interestingly, the scammer, posing as a 40-year-old woman named Chen Zimo from Hong Kong, initially reached out to Gallagher via a Twitter direct message as opposed to the more traditional dating app route. The scammer’s Twitter profile is still active, despite Sophos reporting it.
“Starting with a ‘Hallo,’ the scammer engaged me in Twitter direct messages to determine if I was a suitable target for the scam,” Gallagher wrote.
Apparently, even disclosing that he was a cybersecurity threat researcher who investigated scams wasn’t enough to deter the con artist, who quickly turned the conversation to investing in the gold market.
This scammer wasn’t one for small talk or flirty messages, like some other fraudsters who use more elaborate lies to trick targets into investing.
She soon moved the messages off of Twitter and onto Telegram. Gallagher checked the phone number linked to the account, which turned out to be a UK mobile carrier providing 3G support and Wi-Fi dialing – so essentially, voice over IP – and said the scammer changed the name on the Telegram account to Chen Zimo to match the name on Twitter.
From there, Zimo gave Gallagher the name of a fake market platform designed to look like a legit operation out of Japan. In fact, the phony site for the fictitious company is hosted in Hong Kong, and additional research revealed “nearly identical sites for several other brands,” Gallagher wrote.
Zimo then instructed Gallagher to download the mobile app from the fake website – not from the official Google Play, Apple App Store, or Microsoft Store. It turns out the MetaTrader 4 app downloaded from the phony website had been modified: all three app versions’ connection data had been altered to add malicious attacker-controlled servers.
Additionally, the iOS application required accepting an enterprise mobile device management profile connecting the victim’s phone to a server in China.
From here on out, the scam follows a typical “investment opportunity” script. Gallagher was told to upload a bunch of personally identifying information, including photos of government ID documents and tax identification numbers. Then, had Gallagher been an actual victim, he’d have wired cash to the scammers – an upfront “earnings tax” – and presumably would never have heard from the scammers again.
Shutting down these and similar scams like playing “whack-a-mole”: when one set of app certificates and infrastructure gets taken down, another springs up quickly to take its place, Gallagher said.
He noted that while most of the fake apps’ elements were hosted on Binfang and Alibaba, some content was provided through Cloudflare, and some certificates were staged using Akamai.
The Sophos team also reported the scam to Japan’s CERT – because the fake gold-trading brand mimicked a Japanese financial institution – along with Apple, Google, and “others,” according to the blog.
“We reported the initial enterprise app distribution ‘team’ to Apple, and labeled the domains as malware hosts in our reputation database,” Gallagher wrote.
Still, the scammers remained one step ahead and simply moved their operation to new domains, while providing Gallagher with step-by-step instructions on how to access the new download infrastructure and enterprise mobile provisioning profile.
“Because of the fluid nature of the technical side of these scams,” Gallagher wrote, “the only reliable defense against them is public awareness of how these threats operate.”
Full details of the Cambodian operation will be released under responsible disclosure rules at a later date. ®