The recently discovered cryptocurrency trading scam makes the rounds on dating websites and uses Apple Developer Program and Enterprise Signatures to sneak past Apple’s app review process.
The Cryptocurrency Trading Scam Earned Attackers At Least $1.4 Million So Far
According to Sophos Labs, pyramid-scheme cryptocurrency scammers are exploiting Apple’s Enterprise Developer Program to force fake trading apps onto their targets’ iPhones. So far, they’ve earned at least $1.4 million in illicitly gained so far.
Researchers observed the campaign hitting dating sites.
“They strike up a friendship, using the dating game as a ruse, but then quickly move to money, this time in the guise of them doing you a big favor by offering you a chance to join an ‘unbeatable’ investment opportunity,” Sophos noted in a Wednesday post.
That opportunity involves cryptocurrency trading with the promise of big profits. To make the scam appear legit, the bad guys even offer an “official” iPhone app.
“The App Store, like Google’s Play Store equivalent for Android, is by no means immune to malware, fleeceware, and other badware apps,” Sophos researchers indicated. “But totally bogus cryptocurrency trading apps, based on totally bogus trading platforms, rarely make it through.”
The attackers are exploiting a loophole that allows enterprise MDM (mobile device management) programs to seize control over corporate-owned iOS devices, abusing the Apple Enterprise Signature feature.
As Sophos said in its recent report, “Companies who enroll staff devices into Apple’s remote management system by means of…an MDM profile…can remotely wipe [devices], unilaterally or on request, block access to company data, enforce specific security settings such as lock codes and lock timeouts…and (this is the feature the crooks are after!) they can install bespoke corporate apps intended for employees only.”
Therefore, the trust factor of the CryptoRom scam, previously socially engineered via a dating site, is vital in persuading the target to allow the hacker to enroll the device into ‘the program.’ The program is nothing more than an MDM compatible with Apple’s platform. Then, the supposed cryptocurrency app, a bogus version of the legitimate Bitfinex trading app, is installed onto the victim’s device.
“The crooks persuade you, for example on the basis of a friendship carefully cultivated via a dating site, into giving them the same sort of administrative power over your iPhone that is usually reserved for companies managing corporate-owned devices,” researchers explained.
The trading app wannabe is, obviously, bogus.
“There’s no trading platform behind it; your ‘investments’ aren’t used to buy any sort of cryptocurrency, not even a volatile or little-known one,” according to Sophos. “Any ‘trades’ and ‘profits’ reported by the app are imaginary; if you are ever allowed to withdraw any of your ‘profits’ in order to build up trust, the crooks will simply give you a tiny bit of your own money back; and when you want to cash out your ‘investment,’ you realize that it’s all smoke and mirrors.”
Apple Enterprise Signature Feature – The Perfect Loophole
Sophos’ investigation revealed that the scam relies on the Apple Enterprise Signature feature.
“Apple’s Enterprise Signature program can be used to distribute apps without Apple App Store reviews, using an Enterprise Signature profile and a certificate,” researchers explained. “Apps signed with Enterprise certificates should be distributed within the organization for employees or application testers, and should not be used for distributing apps to consumers…[so] apps do not have to be submitted to the Apple App Store for review.”
In the case of these crypto-rom scams, the target is asked to visit a scammer-controlled website, where an MDM profile is downloaded to the device. The profile is signed with an Enterprise certificate that convinces the victim that the whole thing is Apple-approved. Next, the server instructs the user to install the fake cryptocurrency trading app from an App Store copy-cat page, complete with bogus reviews.
Sophos researchers added that the abuse of the program is exacerbated by the increase in third-party commercial services which offer Enterprise Signature certificate distribution, such as cunning outfits that highlight the ability to circumvent the App Store review process.
“There are several commercial services selling Apple signatures for apps that can be purchased for [a] couple of hundred dollars,” according to Sophos researchers. “There are different versions of signatures: Stable versions which are expensive and less stable ones that are cheaper. The cheaper version is probably preferred by the crooks as it is easy to rotate to a new one when the old signature gets noticed and blocked by Apple.”
Sophos noted that the hackers seem to run more targeted scams that may be difficult for Apple to spot.
“In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” researchers said.