{"id":8242,"date":"2022-11-09T14:23:03","date_gmt":"2022-11-09T22:23:03","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=8242"},"modified":"2024-04-26T13:20:00","modified_gmt":"2024-04-26T20:20:00","slug":"scams-using-fake-celebrity-endorsements-target-eu-countries","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/cyber-threat-advisory\/scams-using-fake-celebrity-endorsements-target-eu-countries\/","title":{"rendered":"Scams Using Fake Celebrity Endorsements Target EU Countries"},"content":{"rendered":"

Author: Stelios Chatzistogias<\/strong><\/h3>\n

 <\/p>\n

Summary<\/h3>\n

This report describes a series of scam campaigns that we have been tracking, in which threat actors compromise social media accounts, redirect victims and solicit their contact information, and then attempt to convince them to deposit funds with fake trading companies. This series of campaigns uses a form of a celebrity endorsed scam, a method first seen in 2020,1<\/sup> and uses a \u201cMeta\u201d coin theme. The campaigns stand out in terms of the media platforms the actors utilize as well as how they stage their attacks. Specifically, the campaigns use Facebook sponsored ads in combination with fake LinkedIn profiles and multiple domains with the same fake content translated into different languages.<\/p>\n

Background<\/h3>\n

Remote working as a result of the global Covid-19 pandemic has significantly changed our daily routines. Many people now spend more time at home or connecting virtually through devices, and the amount of digital advertising conducted through social media platforms has increased to match this trend. All of this has led online fraudsters to take advantage of these changes. According to the Federal Trade Commission,2<\/sup> the total dollar amount reported as lost to fraud from criminal actors using social media as the contact method in 2021 was $770 million, followed by the use of websites or apps at $554 million, and phone calls at $546 million.<\/p>\n

Investment scams have evolved, and the actors have become more advanced in their tactics to convince victims to supply private information and credit card details. The scammers\u2019 techniques can involve compromised social media accounts, redirects via multiple social media platforms, and short-lived, randomly generated domains for landing pages, as is the case with the campaigns we will describe in this report.<\/p>\n

Campaigns Analysis<\/h3>\n

The \u201cMeta\u201d coin theme used in these campaigns intentionally conflates two separate services: Facebook\u2019s Meta and Inblock\u2019s Metacoin cryptocurrency. Mark Zuckerberg is rebranding Facebook to Meta3<\/sup> as part of his strategy to create Metaverse: an AI and virtual reality platform. Separately, the founders of the Hong Kong\u2013based company Inblock created Metacoin: a cryptocurrency that is based on hyperledger technology and that has improved security features based on IBM\u2019s LinuxOne platform.4<\/sup><\/p>\n

Although Metacoin and the Meta services are not related, the scam campaigns in this report use the logo from Facebook\u2019s Metaverse platform and the name Metacoin from Inblock\u2019s cryptocurrency, likely in an attempt to make the delivered web content appear legitimate. The fake \u201cMeta” coin campaigns have been initialized by a compromised Facebook account under the name SoulCircuit.5<\/sup> SoulCircuit is actually a group that consists of two DJs\/musicians: Tom Moore and Dan Timcke,6<\/sup> from the UK.7<\/sup> Their compromised Facebook profile page has almost 600K followers, and is being used to distribute scam-sponsored ads for the fake \u201cMeta\u201d coin cryptocurrency. Another interesting feature of the campaigns is that the attackers seem to be targeting people from specific countries, namely Greece, Italy, and Spain, based on the languages used in the campaigns and the use of pictures and names of actual prime ministers from those countries.<\/p>\n

The campaigns consist of five stages. The actor uses different social media platforms to lure and then redirect the victim, eventually leading them to a short-lived domain that seems to be either fully or partially randomly generated. Once a user shows interest and supplies some initial information (name and mobile phone number), they are again redirected to fake trading websites that present requests for a deposit via a credit card or a transfer from other cryptocurrency accounts.<\/p>\n

\"\"
\nFigure 1: Stages of the attack<\/p>\n

Stage 1: Sponsored Facebook Ads Through SoulCircuit\u2019s Compromised Account<\/h3>\n

In the first stage of the attack, the actor places \u201cMeta” coin ads on SoulCircuit\u2019s Facebook main wall. The screenshot in Figure 2 below is from a campaign targeting Greek-speaking individuals or groups. Some of the obvious signs that the campaign is a scam is the fact that there is no punctuation in capital Greek letters. On the other hand, the fact that the account allegedly has a large number of followers (594k) can lead a user to believe this ad is legit. The image on the right-hand side of Figure 2 shows the caption\u2019s text translated into English. Upon clicking the Learn more<\/b> button, a user is redirected to a LinkedIn page, which we consider Stage 2.<\/p>\n\n\n\n\n\n
\"\"<\/td>\n\"\"<\/td>\n<\/tr>\n
Original text (Greek)<\/td>\nTranslated text (English)<\/td>\n<\/tr>\n
Figure 2: Sponsored ad in original and English translated text<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Stage 2 – LinkedIn Posts<\/h3>\n

Clicking the Learn More button opens a LinkedIn page that claims that this new cryptocurrency was invented by Meta and presents fake reviews on it (Figures 3 through 5 below), allegedly made by the Prime Minister of Greece Konstantinos Mitsotakis and other famous Greek individuals.<\/p>\n\n\n\n\n\n
\"\"<\/td>\n\"\"<\/td>\n<\/tr>\n
Original text (Greek)<\/td>\nTranslated text (English)<\/td>\n<\/tr>\n
Figure 3: Fake article about \u201cMeta\u201d coin in Greek and English<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
\"\"<\/td>\n\"\"<\/td>\n<\/tr>\n
Original text (Greek)<\/td>\nTranslated text (English)<\/td>\n<\/tr>\n
Figure 4: Altered photo of the Greek Prime Minister with Mark Zukerberg<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n\n
\"\"<\/td>\n\"\"<\/td>\n<\/tr>\n
Original text (Greek)<\/td>\nTranslated text (English)<\/td>\n<\/tr>\n
Figure 5: Unrelated photo of Yannis Stournaras: a Greek economist who has been the Governor of the Bank of Greece since June 2014<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The LinkedIn profile that posted the fake article about \u201cMeta\u201d coin belongs to a \u201cRachelle Young\u201d (Figure 6 below), who appears to be a financial analyst from the U.S. State of Colorado and whose profile has more than 500 connections. The recent activity is relevant and of interest because the profile\u2019s owner has posted the same article translated into the same three different languages.<\/p>\n

\"\"
\nFigure 6: A fake LinkedIn profile posting the same \u201cMeta\u201d coin article in multiple languages<\/p>\n

The activity tab on her profile shows that this activity has been going on for weeks.<\/p>\n

\"\"
\nFigure 7: Continuous LinkedIn activity<\/p>\n

The actor has posted articles in languages besides Greek and has used photos and stories tailored to those other countries. For example, the screenshots below show altered photos and narratives allegedly relating to Mario Draghi (an Italian public official) and Dietrich Mateschitz (an Austrian businessman).<\/p>\n\n\n\n\n
\"\"<\/td>\n\"\"<\/td>\n<\/tr>\n
Figure 8: \u201cMeta\u201d coin scam campaign targeting Italy<\/td>\nFigure 9: \u201cMeta\u201d coin scam campaign targeting Germany<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Stage 3 – Landing Pages and Randomly Generated Domains<\/h3>\n

These fake news articles contain links to two different domains that have the same content, including design and graphs, but they are in two different languages, as shown in Figures 10 and 11 below.<\/p>\n

\"\"
\nFigure 10: Altered YouTube image that points to scam website<\/p>\n

\"\"
\nFigure 11: Altered YouTube image that points to scam website<\/p>\n

The scam websites embedded in the code of the YouTube images above, are 365coinmode and 365graphiccoin. Both sites host the same page translated into different languages, which is shown in Figures 12 and 13 below. Following them, Figure 14 shows the English language version.<\/p>\n

\"\"
\nFigure 12: Landing page on 365coinmode[.]com, in Greek<\/p>\n

\"\"
\nFigure 13: Landing page on 365graphiccoin[.]com, in Italian<\/p>\n

\"\"
\nFigure 14: Landing page on 365graphiccoin[.]com, in English<\/p>\n

Stage 4: Personal Information Gathering<\/h3>\n

The goal of this particular stage of the campaigns is not to steal any credit card details, but instead to have the victims complete a form with their names and phone numbers. The victims then get redirected to fake trading company websites, such as spartan-trade[.]com and networkfsi[.]com, which ask the victims to make financial deposits. Reports from Greece and the U.K. indicate that the actors use the contact information the victims provided to get in touch with them if they do not make the deposit as requested, in the next stage of the attack, described below.8,9 The scammers try to convince the victims that the campaign is being conducted by a legitimate investment company.<\/p>\n

\"\"
\nOriginal text (Greek)<\/p>\n

\"\"
\nTranslated text (English)<\/p>\n

Figure 15: A form for creating a fake account for \u201cMeta\u201d coin<\/p>\n

Stage 5: Money theft<\/h3>\n

After providing personal details, a victim gets redirected to a fake but visually appealing website. In our tests, we were redirected to Spartan Trading, a fake trading website. It was registered on 5 July 2022 and contains the aforementioned deposit page where a victim is asked to choose an amount of money to deposit. As of this writing, the available payment options are cryptocurrencies and credit cards. The screenshots below illustrate how the cryptocurrency payment system works.<\/p>\n

\"\"
\nFigure 16: Fake trading website<\/p>\n\n\n\n\n\n
\"\"<\/td>\n\"\"<\/td>\n\"\"<\/td>\n<\/tr>\n
Client portal landing page<\/td>\nPayment choices<\/td>\nCrypto wallet for depositing crypto<\/td>\n<\/tr>\n
Figure 17: Deposit process for cryptocurrencies<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The screenshots in Figures 18 through 21 below show the credit card payment system on the scam website.<\/p>\n

\"\"
\nFigure 18: IpassPay option<\/p>\n

\"\"
\nFigure 19: Deposit page<\/p>\n

\"\"
\nFigure 20: Billing Info<\/p>\n

\"\"
\nFigure 21: Credit card detail request page<\/p>\n

Domain Analysis<\/h3>\n

All domains that serve the landing pages are registered to Namecheap and resolve to the same IP address, 45[.]63[.]119[.]177, which belongs to Constant Company LLC: a hosting provider that offers global automated cloud infrastructure. In turn, Constant LLC is a parent company for Vultr, which happens to offer free $100 vouchers for using the platform. This arrangement is a springboard for attackers who have automation in place to deploy and set up scam domains and to operate them cost-free. The screenshots in Figures 22 and 23 below show the landing pages belonging to Constant and Vultr, that are used to advertise their automated cloud infrastructure and the $100 promotion for new users.<\/p>\n

\"\"
\nFigure 22: Constant LLC\u2019s landing page<\/p>\n

\"\"
\nFigure 23: Vultr $100 promotional offering<\/p>\n

Prevention and Mitigation<\/h3>\n

These malvertising scams have the following features in common:<\/p>\n