CryptoRom Scam Rakes in $1.4M by Exploiting Apple Enterprise Features

The campaign, which uses the Apple Developer Program and Enterprise Signatures to get past Apple’s app review process, remains active.

Pyramid-scheme cryptocurrency scammers are exploiting Apple’s Enterprise Developer Program to get bogus trading apps onto their marks’ iPhones. So far, so good: They’ve made off with at least $1.4 million in ill-gotten gains so far.

That’s according to Sophos Labs, which observed the scam making the rounds on dating sites.

“They strike up a friendship, using the dating game as a ruse, but then quickly move to money, this time in the guise of them doing you a big favor by offering you a chance to join an ‘unbeatable’ investment opportunity,” researchers said in a Wednesday posting.

Infosec Insiders Newsletter

That investment opportunity involves cryptocurrency trading, with the offer to invest money into cryptocoins in order to reap big profits. To lend a veneer of legitimacy, the crooks offer an “official” iPhone app, purportedly approved by Apple.

“The App Store, like Google’s Play Store equivalent for Android, is by no means immune to malware, fleeceware and other badware apps,” Sophos researchers pointed out. “But totally bogus cryptocurrency trading apps, based on totally bogus trading platforms, rarely make it through.”

So instead, they scammers are using a loophole that allows enterprise mobile device management (MDM) programs to control corporate-owned iOS devices, according to Sophos’ analysis, via Apple’s Enterprise Developer program – specifically, the Apple Enterprise/Corporate Signature feature.

As the firm explained in its report: “Companies who enroll staff devices into Apple’s remote management system by means of…an MDM profile…can remotely wipe [devices], unilaterally or on request, block access to company data, enforce specific security settings such as lock codes and lock timeouts…and (this is the feature the crooks are after!) they can install bespoke corporate apps intended for employees only.”

Thus, the confidence game aspect of the scam involves convincing the target, who has been cultivated via a dating site, to allow the crook to enroll the device into “the program,” which is really an MDM that’s compatible with Apple’s platform. Then comes installation of the supposed cryptocurrency-related app, which is a fake version of the Bitfinex cryptocurrency trading application.

Source: Sophos.

“The crooks persuade you, for example on the basis of a friendship carefully cultivated via a dating site, into giving them the same sort of administrative power over your iPhone that is usually reserved for companies managing corporate-owned devices,” researchers noted.

The app is, of course, made of lies and misery.

“There’s no trading platform behind it; your ‘investments’ aren’t used to buy any sort of cryptocurrency, not even a volatile or little-known one,” according to Sophos. “Any ‘trades’ and ‘profits’ reported by the app are imaginary; if you are ever allowed to withdraw any of your ‘profits’ in order to build up trust, the crooks will simply give you a tiny bit of your own money back; and when you want to cash out your ‘investment,’ you realize that it’s all smoke and mirrors.”

Signature a-Go-Go for Scamming

The specific technological underpinning of the scam involves the Apple Enterprise Signature feature, according to Sophos’ investigation.

“Apple’s Enterprise Signature program can be used to distribute apps without Apple App Store reviews, using an Enterprise Signature profile and a certificate,” researchers explained. “Apps signed with Enterprise certificates should be distributed within the organization for employees or application testers, and should not be used for distributing apps to consumers…[so] apps do not have to be submitted to the Apple App Store for review.”

In the case of these “crypto-rom” gambits, Apple’s Enterprise provisioning system is an Achilles heel on the Apple platform. The iOS-using mark is asked to visit a scammer-controlled site, where an MDM profile is downloaded to their device. This is signed with an Enterprise certificate that helps convince the user that everything is Apple-approved and kosher. The user is asked to trust the profile, after which the server prompts the user to install the bogus app from a page that looks like Apple’s App Store, complete with fake reviews.

Sophos noted that the abuse of the program in this way is exacerbated by the rise of third-party commercial services which offer Enterprise Signature certificate distribution, including unscrupulous outfits that highlight the ability to evade App Store review.

“There are several commercial services selling Apple signatures for apps that can be purchased for [a] couple of hundred dollars,” according to Sophos researchers. “There are different versions of signatures: Stable versions which are expensive and less stable ones that are cheaper. The cheaper version is probably preferred by the crooks as it is easy to rotate to a new one when the old signature gets noticed and blocked by Apple.”

Apple has cracked down on the use of Enterprise certificates for distributing apps to consumers, Sophos noted, but the scammers appear to be moving towards more targeted scams that may be harder for Apple to pick up.

“In order to mitigate the risk of these scams targeting less sophisticated users of iOS devices, Apple should warn users installing apps through ad hoc distribution or through enterprise provisioning systems that those applications have not been reviewed by Apple,” researchers noted.

Apple did not immediately return a request for comment.

How to Avoid Crypto-Scams and Certificate Fraud

This particular scam campaign remains active, Sophos warned, with new victims becoming embroiled in it every day. And also, it should be noted that in general, romance scams remain the most successful fraud strategy for cybercrooks and represent a growing sector, according to the Federal Trade Commission. Last year, romance schemes accounted for a record $304 million raked into illicit coffers, according to new data – up about 50 percent from 2019.

With essentially no chance of recouping any losses from these efforts, Sophos offered the following best practices for protecting oneself:

  • Take your time when “dating site” talk turns from friendship, love or romance to money. Don’t be swayed by the fact that your new “friend” happens to have a lot in common with you. The other person could simply have read your various online profiles carefully in advance.
  • Never give administrative control over your phone to someone with no genuine reason to have it.
  • Never click [Trust] on a dialog that asks you to enroll in remote management unless it’s from someone you already have an employment contract with, the conditions have been clearly explained to you in advance, and you understand and accept the reasons for enrolling your phone.
  • Don’t be fooled by app descriptions that claim approval from Apple, and vet the reviews carefully.
  • Listen openly to friends and family if they try to issue a warning. Criminals who use romance or dating as a lure think nothing of deliberately setting victims against their families as part of their scams.

“While institutions dealing with cryptocurrency have started implementing know your customer rules, the lack of wider regulation of cryptocurrency will continue to draw criminal enterprises to these sorts of schemes, and make it extremely difficult for victims of fraud to get their money back,” warned Sophos researchers. “These scams can have a devastating effect on the lives of their victims.”

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles