As a team of intelligence analysts, threat hunters, and researchers, it’s paramount to stay on top of what’s happening in the world. To inform our own research and develop our skills, the ReliaQuest Threat Research team typically stay on top of the news cycle by reading multiple sources, of course, mostly covering the world of cyber threats. Some of the more interesting pieces we’ve read this month are highlighted below.
Pig Butchering Investment Scam
One trend I read about this month was the bizarrely titled “pig butchering”: an amalgamation of cryptocurrency and romance fraud. Although cryptocurrency may be the future of financial technology, it can still be thought of as an unregulated and risky space. Threat actors can often lure unsuspecting investors through the lure of high returns on cryptocurrency investments, but with this scam there’s a long process of enticing victims with smaller—but regular—returns. Success depends on soliciting the victim’s trust.
As this trust builds, the threat actor encourages the target to invest more significantly, often using a platform operated by the threat actor. Eventually, the target invests enough money for the threat actor to pull the plug and harvest the funds.
In essence, it’s just another social engineering scam, but it’s certainly worth calling out; according to the FBI’s annual IC3 report, investment fraud accounted for $3 billion in 2022. This reportedly accounted for more losses than even business email compromise (BEC) or ransomware incurred, which is quite incredible.
App Scam Supported by YouTube Videos
In October 2022, Indian police arrested ten individuals for their involvement in a new type of fraudulent mobile application. The apps had been used to mimic legitimate businesses and defraud smartphone users. This was part of a broader campaign that used various social-media channels for financial scams. Although this is a little old, the campaign caught my eye in the last month and I thought it was worth sharing.
The apps, advertised on YouTube videos, purported to be investment apps for specific companies—and borrowed the appropriate names and logos. An abundance of apps mimicking well-known companies like Porsche, Verizon, and LG could be seen on the YouTube channel. The videos appeared to providing an informative service, as they questioned the app’s legitimacy in their title (see Figure 1). But as it happens, the videos only existed to promote the apps and, in turn, affirm their authenticity.
The videos described the apps as “hacks,” but this was instead taken to mean a get-rich-quick scheme (in the same vein as “lifehack”); users would receive substantial returns from small investments. After depositing the initial sum, users were encouraged to recruit more potential investors to gain a lucrative bonus. Links to WhatsApp groups, Telegram channels, and other media appeared in the video descriptions to help propagate the campaign (see Figure 2).
Once a “profit” was made, users were asked to deposit a larger sum with the promise of an even larger profit. That’s the step that locked in success for the scammers; the victims were swindled and subsequently blocked from the app.
According to Indian police, these scams began around the time of the COVID-19 lockdown in March 2020, and have targeted different societal groups in India. They did this by focusing on specific parts of the internet where the companies are most relevant to visitors—for example, posting links to game-company apps on student forums.
These rackets are multi-layered and lack a direct chain of command; the upper echelons of the scheme often operate outside India. In some instances, operations have been traced back to China and arrests have even included Chinese nationals. However, the location-unspecific nature of the scam has made tracking and investigation incredibly difficult. Official efforts to clamp down on this activity continue.
The perpetrators are highly innovative, combining a variety of social media to achieve their goals. And a scam of this nature might be the starting point for phishing campaigns. Although these campaigns are uncommon, they may not be easy to prevent, owing to the widely used platforms targeting a range of audiences.
Women of the Cybercrime Underworld
Gender balance, or a lack thereof, is not a novel conversation in the cybersecurity sector. Representing only 24% of the workforce, women are underrepresented. But what about the women on the dark side of the web? TrendMicro has released a report investigating the role of gender in cybercriminal forums. Many users choose not to display their gender on their profiles, due to discrimination or lack of necessity; so the researchers turned to machine learning tools—Semrush and Gender Analyzer V5—to determine users’ gender.
Running samples from popular Russian- and English-language cybercriminal forums (e.g., XSS, HackForums, Exploit) against clear-web IT content on Stack Overflow and Reddit, the study reported significant differences in female participation. For example, 42.6% of Russian-forum users were female, whereas this figure was only 12% on Stack Overflow. XSS has approximately 30% active female users and HackForums has 36%.
So, women seem to be more active on underground forums than in the white-hat world, which is maybe explained by gender bias in the workplace. TrendMicro points to the importance of not assuming a cybercriminal is male, as it could undermine criminal investigations. Female criminals often have differing motives or techniques, and misgendering a cybercriminal could throw off an investigation just as it would with physical crime.
Some job postings on such forums specifically call for women, seeking persuasion skills and friendly voices—traits stereotypically found more in women than men. These jobs involve acting as a mule, operating call centers, and conducting romance scams. These operations rely on less-technical skills, but they account for the third-highest losses in cybercrime: $956 million was lost by victims in 2021. This is a testament to the “successes” of largely female-based work.
What do these findings mean for the cybersecurity industry? Firstly, they indicate that the cybercriminal world is a more meritocratic community, which drives inclusivity faster than the formal sector. With the exception of those female-specific job posts, participants are not judged for their gender. Skills and experience are at the forefront, and female cybercriminals may feel more accepted or forthcoming when gender is removed from cyber work.