Hackers stole at least $1.4 million from multiple people through the CryptoROM attack, a combination of social media, dating apps, cryptocurrencies, and abusing Apple’s Enterprise Developer Program, according to a report from AppleInsider.
The scam has been in circulation for nearly six months and is targeting Apple’s iOS platform, the report said. Scammers’ modus operandi begins with gaining the trust of the target through social media or data apps. After that, the victim is lured through a website to set up a modified version of a cryptocurrency exchange that looks like Apple. The App Store from where they are implicated in investing as a target is asked to download a mobile device management profile. After doing so, the scammers dupe the victims with cash, the report said.
According to a report from Sophos, the scam resulted in a loss of approximately $87,000 to one victim, with losses ranging between $45,000 and $25,000. A bitcoin address has been found by cybersecurity researchers in which just under $1.4 million has been transferred. Considering the fact that this is the same address and could be used by many more scammers, the money stolen could be much higher.
“Upon returning to the simulated App Store webpage, the unsuspecting user is prompted to download an app signed with a certificate associated with the mobile device management profile via Apple Enterprise Provisioning or SuperSignature Delivery Method. The app in question is Bitfinex , is a bogus version of a cryptocurrency trading application,” the report said.
The report further states, “The victim is convinced to make a small investment in a cryptocurrency as a proof of concept, and is allowed to withdraw the profits. When a larger deposit is made, the victim finds out.” that it cannot be withdrawn and is told by the attacker to either just pull the money for himself, invest more, or pay taxes to withdraw the money. Required.”.