Thieves have used a combination of social media, dating apps, cryptocurrency, and abuse of Apple's Enterprise Developer program to steal at least $1.4 million from unsuspecting victims.
A scam circulating for six months has evolved to impact iOS users. The CryptoRom fraud implementation is fairly straight-forward — after gaining a victim's trust through social media or existing data apps, users are fooled into installing a modified version of a cryptocurrency exchange, baited into investing, and then defrauded out of cash.
After gaining the trust of the victim through the dating apps, scammers start discussing cryptocurrency investments. They are then directed to a website that looks like the Apple App Store, and then told to download a Mobile Device Management profile, giving control of a number of features, and the ability to use signed apps made by the fraudsters.
Upon returning to the fake App Store webpage, the unsuspecting user is then prompted to download an app signed with a certificate associated with the Mobile Device Management profile through either Apple Enterprise provisioning or the Super Signature distribution method. The app in question is a bogus version of the Bitfinex cryptocurrency trading application.
The victim is then convinced to make a small investment into a cryptocurrency as a proof of concept, and is allowed to withdraw the profits. When a larger deposit is made, the victim finds that it cannot be withdrawn and is told by the assailant either just pulls the money for themself, that more must be invested, or a tax must be paid to pull the money out.
A report from Sophos details the volume of money lost. Specifically, one victim lost about $87,000, with other reports finding $45,000 and $25,000 losses. There doesn't appear to be any one social media or dating service mainly used by the fraudsters, with accounts of losses coming from users who tried to find a partner on Facebook, Bumble, Tinder, and Grindr before moving to other private messaging services.
The researchers found one BitCoin address that had just under $1.4 million transferred to it. Given that there are likely multiple addresses in use for the scheme, the number is likely higher.
"This scam campaign remains active, and new victims are falling for it every day, with little or any prospect of getting back their lost funds," wrote Sophos. "In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple."
Sophos says that they have shared details of the scam with Apple. As of Thursday morning, the researchers have not received a response.
How to avoid CryptoRom attacks
As more and more cryptocurrency exchanges start verifying customers, and making sure that a pair of cryptocurrency exchangers have a valid connection, this type of attack may start to wane. However, the lack of wide crypto regulation will always make it a vector of concern.
A better stop to this particular attack is users being aware that misused device management profiles can provide assailants a wide array of device accesses, including the ability to remotely control the device in extreme cases. Not installing profiles beyond what a corporate-owned device needs would stop this attack in its tracks, as it would prevent the use of the bogus app in the first place.
Beyond that, not installing apps outside the app store would also have stopped the thefts.