Hog Slicing Scam Apps Infiltrate Apple’s App Store and Google Play – Ars Technica
In the past year, a new term has emerged to describe an online scam that makes millions, if not billions, of dollars each year. It’s called “pig slaughtering,” and now even Apple is tricked into participating.
Researchers at security firm Sophos said Wednesday they had discovered two apps on the App Store that were part of an elaborate network of tools used to trick people into sending large sums of money into bogus investment scams. At least one of these apps made it to Google Play, but that market is notorious for the number of malicious apps that bypass Google’s checks. Sophos said this was the first time it had seen such apps on the App Store, and that a previous app identified in this type of fraud was legitimate and later exploited by bad actors.
Pig butchering relies on a rich combination of apps, websites, web stores, and people—in some cases, victims of human trafficking—to build trust over weeks or months, often under the guise of romantic interest and financial advice. , or a successful investor. Eventually, the online discussion turns to investments, usually involving cryptocurrencies, that the scammer claims has made him huge sums of money. The scammer then asks the victim to participate.
Once a brand deposits money, the fraudsters will initially allow them to withdraw. The scammers eventually lock the account and claim they need a deposit of 20 percent of their balance to get it back. Even after the deposit is paid, the money is not returned, and the scammers come up with new reasons why the victim should send more money. The term pig slaughter comes from the fact that the farmer fattens the pig months before it is slaughtered.
Abuse of trust in the App Store
Sophos said it recently found two iOS listings in the App Store that were used for CryptoRom, a pork butcher that uses romantic overtures to boost its victims’ confidence. The first was called Ace Pro and claimed to be an app for scanning QR codes.
The second app was MBM_BitScan, which billed itself as a real-time data tracker for cryptocurrencies. One victim, Sophos tracked, dropped about $4,000 into the app before realizing it was fake.
Apple has a reputation, guaranteed or otherwise, of filtering out malicious apps before they hit the App Store. Combined with the detailed fake online profiles and elaborate backstories that fraudsters use to lure victims, the app’s presence in the App Store made the scam even more convincing.
“If criminals can get past these controls, they can gain access to millions of devices,” the Sophos researchers wrote. “This is what makes it more dangerous for CryptoRom victims, as most of these targets are more likely to trust the source if it comes from the official Apple App Store.”
Apple representatives did not respond to an email seeking an interview for this story. In a statement from the company, which the representative provided on the condition that it was background, the company said that one of the submitted apps provided QR scanning and another provided cryptocurrency tracking. As soon as the bait and switch came to light, Apple removed them. The representative also cited a recent study that found the App Store stopped nearly $1.5 billion in fraudulent transactions in 2021 and prevented more than 1.6 million risky and untrustworthy apps and app updates from deceiving you that year the users.
Google PR also declined an interview, but said in an email that the company removed the app after receiving a warning from Sophos.
Ace Pro and MBM_BitScan bypassed Apple’s vetting process and used remote content downloaded from hard-coded web addresses to provide their malicious functionality. When Apple reviewed the apps, the websites were likely providing benign content. Eventually, that changed.
For example, Ace Pro started sending requests to the rest.apizza domain[.]net, which would then respond with the acedealex content[.]xyz which would provide the fake trading interface. MBN_BitScan reached a server hosted by Amazon, which in turn invited flyerbit8[.]com, a domain designed to look like the legitimate Bitcoin service bitFlyer.
The process looked something like this:
The fake interface made it look like users could deposit money and submit customer service requests in real time. To get victims started, the fraudsters instructed them to transfer money to the Binance exchange, and then from Binance to the fake app.
Pre-written scripts, confiscated passports and violence
The organizational structure of fraudsters is also developed. After hacking in China and Taiwan and achieving success, the Chinese authorities finally took action. Some of the gangs fled to Cambodia and other small Southeast Asian countries.
According to Chinese law enforcement groups targeting CryptoRom fraudsters, the fraudsters mimic a corporate structure. At the top is a head office that oversees the operation and wash revenues. In the middle is a franchise or subsidiary with which the head office contracts. The franchisee oversees the next level. This level includes a front desk with logistics such as human trafficking and website management, a technology team to run websites and apps, and a finance team to manage local financial operations.
At the bottom are the keyboardists who do the most interaction with the victims.
Sophos researchers explained:
At the time of COVID-19, many underdeveloped countries did not have jobs or enough social benefits to support those affected by the economic disruptions. This has led many young people to accept job offers promising high salaries in special economic zones in other countries. Many of these were fraudulent job offers involving pig butchering rings; When the workers arrived, they were taken to CryptoRom centers and their passports were confiscated.
Keyboardists are often victims of human trafficking, brought in from countries such as China, Malaysia and India with the promise of better paying work. They are trained with pre-written scripts that guide them on how to contact, what to say to their victims and how to get them to invest. If they want to leave or do not follow the script, they are allegedly subjected to violence.
It’s easy to read the details of these scams and wonder how anyone could fall for them. Sophos and others say the victims taken in are often well-educated, some with doctorates. Some of the techniques responsible for success include the length of time the fraudsters have been in contact with their victims and demonstrating that an initial withdrawal is possible.
With the emotional vulnerability of some victims, the rise of app-based financing, and the unwitting role of companies like Apple and Google, these and other techniques have proven effective.