Romance scam targets security researcher, hilarity ensues

Happy Valentine's Day! Now don't get fooled

It sounds like the plot of a somewhat far-fetched romcom-slash-thriller Netflix series, maybe billed as You meets Your Place or Mine, dropping just in time for Valentine's Day.

In it, a pig butchering romance scammer targets her next victim: Sophos's lead threat researcher. The security biz would probably want us to make very clear that no one was murdered in the course of this research.

And while Netflix probably won't pick it up for a full series, we have to note the pure stupidity – of cybercrime rings targeting a security firm researcher for their con. And yes, that's rings – plural; one based in Hong Kong and the latter in Cambodia.

"I was approached by multiple, separate scam operations personally, each running different variations on pig butchering," Sophos's principal threat researcher Sean Gallagher wrote in a blog post today about one of these attempts.

Spoiler alert: Gallagher neither loses his entire life savings nor finds his true love in this tale, which won't cost you a monthly subscription to enjoy.

A Hong Kong-based crew is behind this still-active scam, which uses the MetaTrader 4 application to run a phony gold-trading marketplace. MetaTrader 4 is a legitimate trading app developed by a Russian software company that has been linked to other cryptocurrency scams.

Interestingly, the scammer, posing as a 40-year-old woman named Chen Zimo from Hong Kong, initially reached out to Gallagher via a Twitter direct message as opposed to the more traditional dating app route. The scammer's Twitter profile is still active, despite Sophos reporting it.

"Starting with a 'Hallo,' the scammer engaged me in Twitter direct messages to determine if I was a suitable target for the scam," Gallagher wrote.

Apparently, even disclosing that he was a cybersecurity threat researcher who investigated scams wasn't enough to deter the con artist, who quickly turned the conversation to investing in the gold market.

This scammer wasn't one for small talk or flirty messages, like some other fraudsters who use more elaborate lies to trick targets into investing.

She soon moved the messages off of Twitter and onto Telegram. Gallagher checked the phone number linked to the account, which turned out to be a UK mobile carrier providing 3G support and Wi-Fi dialing – so essentially, voice over IP – and said the scammer changed the name on the Telegram account to Chen Zimo to match the name on Twitter.

From there, Zimo gave Gallagher the name of a fake market platform designed to look like a legit operation out of Japan. In fact, the phony site for the fictitious company is hosted in Hong Kong, and additional research revealed "nearly identical sites for several other brands," Gallagher wrote.

Zimo then instructed Gallagher to download the mobile app from the fake website – not from the official Google Play, Apple App Store, or Microsoft Store. It turns out the MetaTrader 4 app downloaded from the phony website had been modified: all three app versions' connection data had been altered to add malicious attacker-controlled servers.

Additionally, the iOS application required accepting an enterprise mobile device management profile connecting the victim's phone to a server in China.

From here on out, the scam follows a typical "investment opportunity" script. Gallagher was told to upload a bunch of personally identifying information, including photos of government ID documents and tax identification numbers. Then, had Gallagher been an actual victim, he'd have wired cash to the scammers – an upfront "earnings tax" – and presumably would never have heard from the scammers again.

'Whack-a-mole' infrastructure

Shutting down these and similar scams like playing "whack-a-mole": when one set of app certificates and infrastructure gets taken down, another springs up quickly to take its place, Gallagher said. 

He noted that while most of the fake apps' elements were hosted on Binfang and Alibaba, some content was provided through Cloudflare, and some certificates were staged using Akamai.

The Sophos team also reported the scam to Japan's CERT – because the fake gold-trading brand mimicked a Japanese financial institution – along with Apple, Google, and "others," according to the blog. 

"We reported the initial enterprise app distribution 'team' to Apple, and labeled the domains as malware hosts in our reputation database," Gallagher wrote.

Still, the scammers remained one step ahead and simply moved their operation to new domains, while providing Gallagher with step-by-step instructions on how to access the new download infrastructure and enterprise mobile provisioning profile.

"Because of the fluid nature of the technical side of these scams," Gallagher wrote, "the only reliable defense against them is public awareness of how these threats operate."

Full details of the Cambodian operation will be released under responsible disclosure rules at a later date. ®

Send us news

Microsoft answered Congress' questions on security. Now the White House needs to act

Business as usual needs a real change

TikTok confirms CNN, other high-profile accounts hijacked via zero-day vulnerability

Beware of zero-click malware sliding into your DMs

Ransomware crew may have exploited Windows make-me-admin bug as a zero-day

Symantec suggests Black Basta crew beat Microsoft to the patch

Suspected bosses of $430M dark-web Empire Market charged in US

Cybercrime super-souk's Dopenugget and Zero Angel may face life behind bars if convicted

Crooks crack customer info at tracking device vendor Tile, issue 'extortion' demands

Who tracks the trackers?

Snowflake customers not using MFA are not unique – over 165 of them have been compromised

Mandiant warns criminal gang UNC5537, which may be friendly with Scattered Spider, is on the rampage

Russian hacktivists vow mass attacks against EU elections

But do they get to wear 'I DDoSed' stickers?

Pretty much all the headaches at MSPs stem from cybersecurity

More cybercrime means more problems as understaffed teams stretched to the limit

New York Times source code leaks online via 4chan

Breaking breaking-news news

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

Let's kick off our summer with a pwn-me-by-Wi-Fi bug in Microsoft Windows

Redmond splats dozens of bugs as does Adobe while Arm drivers and PHP under active attack

Hudson Rock yanks report fingering Snowflake employee creds snafu for mega-leak

Cloud storage giant lawyers up against infosec house