Deepfakes, QR codes, fake applications and other cryptocurrency frauds
Fraudsters impersonating another person live
Fraudsters often impersonate someone else - the crypto world is no exception. So, in January, an attacker tried to impersonate in the messenger for the journalist CoinDesk, a cult publication about cryptocurrencies. The criminal suggested that one PR woman “publish” a positive article about her project for only $600. The deception failed. But the publication found two victims who believed the deceivers and paid them money. How many of such people actually are unknown.
But correspondence is yesterday. Fraudsters begin to master video calls using pre-prepared videos with the participation of crypto celebrities or make videos with fake people using deepfake technology. In the first case, they watch a lot of videos with a famous person - speeches, live broadcasts and presentations - and cut the most universal fragments from them. In the second, they make a fake, but realistic video, in which a person does something that actually was not. Using machine learning technology, other faces are imposed on the characters of the video that look so natural that they can hardly be distinguished from real ones. Fraudsters can even combine these two methods.
So, this spring, attackers tried to get $32,000 from co-founder and lead developer of uPlexa blockchain startup Kyle Pearce, posing as the infamous crypto entrepreneur Justin Sun, founder of TRON Foundation. About this Pierce spoke on his blog on May 24.
On April 25, Pierce was contacted by a man who introduced himself as William Chang, who is listed on LinkedIn as director of operations and business development at Ledger Capital. In the profile of this company, by the way, there is a site. Chang said that he was looking for projects for investment, and suggested that Pierce call on Skype.
William Chang LinkedIn Page. Source.
An entrepreneur often receives requests for investment financing of the uPlexa network, but usually they come down to an offer to buy project coins at a reduced price. Here we were talking about direct investment - Pierce found this suspicious, but decided to see what kind of turn the deal would take. For several weeks, both could not dock the schedule, and then finally phoned.
Fragments of the correspondence between Pierce and Chang. Source.
During the call, Chang said that his company is working with the TRON Foundation on a new secret project that provides incentives for partnership with other crypto projects doing “unique things” within the blockchain industry.
During the conversation there was a constant desync of sound and image. This could be explained by poor connection, but Chang often spoke without opening his mouth. After a strange call, Pierce received an email that looked like it had been sent from the official TRON Foundation domain.
A letter to Pierce from the fake TRON Foundation. Source.
However, in reality, the scammers used the IP address of the Online Data Services provider, which is often used by cybercriminals to fake email addresses. The letter suggested calling Justin Sun himself.
When Pierce checked the SPF emails (an extension of the email sending protocol to verify the authenticity of the domain) and its DKIM (digital signature verifying the authenticity of the sender and guaranteeing the integrity of the email), the message came from Online Data Services. Source.
During a video call with fake Sun, he offered Pierce a listing on several exchanges and the ability to transfer his project to the TRON blockchain. All that false Justin wanted in return was a minimum investment of $32,000. This is still a 40% discount, since the usual fee is $80,000. Right during the call, Sun asked Pierce to sign a contract to seal the deal. The entrepreneur refused.
The fake Sun video call was just a pre-recorded video. To test his interlocutor, Pierce asked him if he would have access to the funds for seven months, since he needs a heart operation. Fake Sun replied that “the coins are not blocked, and you have access to them. All this will be spelled out in the contract, ”adding that“ I am very sorry to hear about this. I wish the operation process goes smoothly for you. ”
Pierce was not the only one scammers tried to trick with the help of fake Sun. The crypto project team Mochimo also told its story on May 23. The company was written by a woman named Shelley Wu, who introduced herself as the chief marketing officer of TRON. According to the Mochimo team, her letters looked convincing, so they agreed to continue the conversation. Soon they received an email, apparently from Sun, offering them a “private partnership program”. The letter contained a link to a site that looked like a TRON product, but was not hosted on a company domain and was anonymously registered just a few days before. After ascertaining that this was a fraud, Mochimo decided to see how far the attackers would go. In the correspondence, they unexpectedly sent a clearly fake copy of Sun’s passport.
False Sun’s passport and original photograph used by scammers. Source.
After that, Sun was phoned with Mochimo founder Matt Zweil. Fraudsters used slicing slow-motion videos with Justin, but cast their own voice on top. “Sun” also said “past the lips,” the video paused when Zweil spoke. Was it the same scammers that tried to trick Pierce and Zweil or they were different criminals - is unknown.
If you think that fraud with fake videos of famous people threatens only large crypto entrepreneurs, then you are mistaken. False endorsements of scam projects by people known in the industry are not uncommon in the crypto world. For example, in Australia, for this purpose, they used the image of the former head of NSW Bank Mike Baird to advertise bitcoin scam.
But recently, scammers have gone further and began to advise scam in fake interviews and commercials. So, in April, the image of British host Rylan Clark-Neal was used in a fake interview with the tabloid The Daily Mirror, in which he told how he made millions on bitcoins.
Now video using deepfake is still relatively easy to distinguish, but the technology is developing rapidly, and in a couple of years it can be almost impossible to find the difference between the original and the fake without special tools. Especially during the call on Skype. With deepfake it will be possible to discredit or deceive anyone. Imagine that the head of a small crypto company is called by Justin Sun, who cannot be distinguished from the present and offers a profitable deal.
One of the methods to combat this, is blockchain. Data encryption will verify the authenticity of the video. Axon is already exploring the integration of the blockchain in police surveillance cameras, and Alethea AI has launched a decentralized network to track the content generated by neural networks.
Protecting yourself from such fraud is easy. Do not share commercially sensitive and confidential information with strangers online who come to you with too good an offer. If you have received a letter from some “company” with a similar offer, check whether the email has actually been sent from it. In the end, just write a new letter to the address from the official website.
Fake QR code fraud
Another new type of fraud is fake QR code generators. The latter should make it easier for users to send cryptocurrencies: it is enough to scan the code and not be afraid that there will be errors in the wallet address. This service is provided by almost all exchangers and most wallets.
However, in reality, this is not always safer than manually entering details. Malicious programs can replace the address in the QR code with the address of the attacker's wallet - the victim usually does not notice this. Some scammers not only create a QR code, but also replace the correct wallet address with their own in the clipboard. When the victim, having copied the QR code, checks it, the system will write that everything is correct.
In March, a single network of malicious QR code generators stole about 7 BTC from users. MyCrypto Security Director Harry Denley exposed nine fraudulent code generator sites that forwarded user coins to five attacker's wallets. These sites were hosted on three separate servers, which hosted another 450 suspicious resources with the keywords "COVID-19", "cryptocurrencies" and "Gmail". There are also several “bitcoin transaction accelerators” among these sites that claim to speed up transfers to BTC for a fee of 0.001 BTC. More than 17.6 BTC have already been transferred to the wallets of these projects - more than $170,000 today.
This is not the first QR code fraud. In August 2019, the ZenGo wallet team identified a network of malicious generators that conducted transactions on the wallets of cybercriminals in the amount of $20,000. However, four of the first five search results for the code generator presented in a Google search turned out to be fraudulent.
In order not to become a victim of this fraud, it is enough to generate the code with your own or verified service, and not the first ones that came to Google. The QR code generated by an unknown service can be checked through a wallet to make sure that it is the same address as the original one. If you doubt the correctness of the code, send a small amount to make sure that the recipient is who you want.
In early March, hardware wallet maker Ledger warned users of a fraudulent Google Chrome extension that steals passphrases for recovering wallet passwords. By the way, the threat was first discovered by Harry Denley from MyCrypto.
An extension called Ledger Live disguised itself as a real application of the same name, allowing users of the Ledger wallet to confirm transactions by synchronizing their hardware wallet with the device. Fraudsters asked victims to synchronize the extension with the wallet by entering a seed phrase, after which they stole the coins. The situation was compounded by the fact that the extension was advertised through Google Ads and used Google Docs to collect data.
A screenshot of an ad for a malicious Google app. Source.
Initially, the threat was not taken seriously enough, but by the end of March, criminals managed to steal over 1.4 million XRP coins, and there was no accurate data on other assets.
This is not the only time crypto users have come across a fake Chrome extension:
• Last May, a fake Google browser extension for Trezor wallets was discovered.
• Last December, user data was stolen through an extension for the Ethereum wallet.
• In early January of this year, through another malicious extension for Ledger, scammers stole about $16,000 in Zcash.
Criminals generally like to exploit hardware wallet vulnerabilities. So, in October last year, a Reddit user posted a link to the Shopify website offering KeepKey hardware wallets for only $5 - most likely, these devices have already been hacked.
Coronavirus panic fraud
In March, research company AnChain collected information on how criminals, with a shortage of protective equipment against coronavirus, sell masks and antiseptics for digital assets, but do not send goods to customers. Fraudsters thus stole at least $2 million in cryptocurrencies. The rise in cryptocurrency crimes based on the panic around COVID-19 was also announced by Interpol.
In March, DomainTools announced an increase in the number of domain names mentioning coronavirus for the distribution of virus programs disguised as an infection map. Criminals said that their applications were approved by WHO and other health organizations and would notify users if they had contact with an infected person. So, on the coronavirusapp website, it was possible to download the CovidLock application, which blocked the smartphone and required a ransom of $100 in the MTC. Fortunately, such applications are not widespread.
Screenshot of a malicious antivirus application. Source.
In March, the authorities of the counties of Pembrokeshire, Manchester and Norfolk in the UK also warned their residents of the growth of crypto fraud amid a pandemic. The criminals sent people messages in messengers or by email, claiming that they can provide a list of COVID-positive residents of their area for a “donation” in bitcoins. They covered up their actions allegedly with recommendations from WHO and the United States Centers for Disease Control and Prevention (CDC).
Back in March, several regulators in the UK, USA and Malta, including the Financial Regulatory Authority for Supervision of the United Kingdom (FSA) and the US Securities and Exchange Commission (SEC), warned investors about a new round of crypto fraud related to coronavirus. Departments warned against criminals who could commit scams with insurance policies, pension savings and conduct investment projects with promises of increased profitability.
The number of crypto frauds is growing
Pandemics and crises are reflected in criminals. On April 20, 2020, the FBI issued an official statement on the increase in cryptocurrency fraud. In March, the Financial Crime Investigation Department (FinCen) announced a rise in financial fraud, including against cryptocurrency users. Among them are several groups of scams.
Attempts to blackmail. Fraudsters send letters to victims and try to blackmail them, threatening to publicize some “dirty secrets” (which may not be). The most popular threat is the publication of intimate photos and videos featuring the victim (sextortion). This is a popular scam, and spam filters have learned to distinguish between such emails. However, the attackers came up with new tricks: they send letters in foreign languages, and the addresses of the wallets are divided into several parts. With the spread of COVID-19, another new tactic appeared - the threat of infection of the recipient with coronavirus in case of refusal to pay cryptocurrency. Offers to donate funds to fight the pandemic from fraudulent sites copying WHO and its analogues, by the way, have also grown.
Job offer from scammers. Fraudsters may ask you to help cash out the proceeds from the sale of cryptocurrency for a percentage of the amount. This money is most likely stolen from other victims, and the user who agreed to these conditions becomes an accomplice in the crime.
Investment scams, when criminals offer the victim to invest in a new cryptocurrency or ICO (yes, this is still true), which will certainly make a depositor rich. In reality, scammers, of course, simply steal money.
Therefore, we recommend that you adhere to simple but effective rules when conducting operations with cryptocurrencies and working with unknown cryptocurrency market players:
• Check all information provided to you in several sources.
• Do not trust extremely advantageous offers.
• Complain about intruders and use security programs.
• Feel free to check with crypto experts.