A new iPhone scam uses social engineering to rake in millions from users using dating apps such as Bumble and Tinder, as well as a system which helps developers build new iOS apps.

The scam was dubbed “CryptoRom” by cyber security firm Sophos, whose researchers uncovered a $1.4m bitcoin wallet to which the group of attackers were funnelling the money of their victims.

According to Sophos, the scammers have acquired the ability to take over victim iPhones remotely in a version of the CryptoRom attack where they leverage “Enterprise Signature”. This is a system that helps organisations to pretest new iPhone applications with selected users before they are submitted to the Apple App Store for review and approval.

“With the functionality of the Enterprise Signature system, attackers can target larger groups of iPhone users with their fake crypto-trading apps and gain remote management control over their devices,” Sophos said in a statement.

“This means the attackers could potentially do more than just steal cryptocurrency investments from victims. They could also, for instance, collect personal data, add and remove accounts, and install and manage apps for other malicious purposes.”

Sophos said the scam started in Asia but has broadened its victim base to the US and Europe using Bumble and Tinder.

The company's senior threat researcher, Jagadeesh Chandraiah, said the threat relies heavily on social engineering at almost every stage.

“First, the attackers post convincing fake profiles on legitimate dating sites. Once they’ve made contact with a target, the attackers suggest continuing the conversation on a messaging platform,” said Chandraiah.

“They then try to persuade the target to install and invest in a fake cryptocurrency trading app. At first the returns look very good, but if the victim asks for their money back or tries to access the funds, they are refused and the money is lost. Our research shows that the attackers are making millions of dollars with this scam.”

Chandraiah said that until recently the scammers mainly distributed these fake crypto currency trading apps through fake websites that resembled a trusted bank or the Apple App Store.

“The addition of the iOS enterprise developer system introduces further risk for victims because they could be handing the attackers the rights to their device and the ability to steal their personal data,” he said.

“To avoid falling victim to these types of scams, iPhone users should only install apps from Apple’s App Store. The golden rule is that if something seems risky or too good to be true — such as someone you barely know telling you about some ‘great’ online investment scheme that will deliver a big profit — then sadly, it probably is.” 

TimesLIVE