Cybersecurity researchers are drawing attention to a new type of investment fraud that uses a combination of malicious social media advertising, company-branded messages, and artificial intelligence (AI)-based video recommendations featuring celebrities, ultimately leading to financial and data loss. .
“The main goal of fraudsters is to lead victims to phishing websites and forms that collect their personal information,” ESET noted in its Threat report for the second half of 2024 shared with The Hacker News.
A Slovak cyber security company is tracking a threat called Nomania play on the phrase “no money”. It says that fraud increased by more than 335% from the first half of 2024 to the second half of 2024, with an average of more than 100 new URLs detected every day between May and November 2024.
The attacks are carried out through deceptive advertising on social media platforms, in some cases targeting people who have previously been scammed, using lures linked to Europol and Interpol to contact them for help or to receive compensation for stolen money by clicking on a link.
These ads are posted from a mix of fake and stolen legitimate profiles associated with small businesses, government organizations, and micro-influencers with tens of thousands of followers. Other distribution channels include sharing these messages on Messenger and Threads, and sharing deceptively positive reviews on Google.
“Another large group of accounts that frequently distribute Nomani ads are newly created profiles with forgettable names, few followers, and very few posts,” ESET noted.
The linked websites were found to be asking for their contact information and visually impersonating local media; misuse logos and brands of specific organizations; or claim to advertise cryptocurrency management solutions with ever-changing names such as Quantum Bumex, Immediate Mator or Bitcoin Trader.
In the next step, cybercriminals use data collected from phishing domains to call victims directly and manipulate them into investing in non-existent investment products that falsely show phenomenal returns. In some cases, victims are tricked into taking loans or installing remote access programs on their devices.
“When these victim ‘investors’ request payment of the promised returns, the scammers force them to pay additional fees and provide additional personal information such as ID and credit card information,” ESET said. “In the end, fraudsters take both money and data and disappear – according to the usual rules pig slaughter scam.”
There is evidence that Nomani is the work of Russian-speaking threat actors, given the presence of comments on the source code in Cyrillic and the use of Yandex visitor tracking tools.
Similar to major scams, for example telecopyingit is suspected that there are different groups responsible for managing each aspect of the attack chain: Theft, creation and abuse of meta accounts and adscreation of phishing infrastructure and management of call centers.
“Using social engineering techniques and building trust with victims, fraudsters often outsmart even the authorization mechanisms and phone verification calls that banks use to prevent fraud,” ESET said.
It comes after South Korean law enforcement officials said they busted a large-scale fraud ring that stole nearly $6.3 million from victims using fake online trading platforms in an operation dubbed MIDAS. More than 20 servers used by the fraudsters were seized and 32 people involved in the scheme were arrested.
Apart from luring victims with text messages and phone calls, users of illegal home trading system (HTS) programs tended to invest their funds by watching YouTube videos and joining KakaoTalk chat rooms.
“The program interacts with the servers of real brokerage firms to obtain real-time stock price information and uses publicly available chart libraries to create visual representations,” said the Financial Security Institute (K-FSI) said in a presentation at the Black Hat Europe conference last week.
“However, no actual stock trading takes place. Rather, the program’s primary function, the screen capture feature, is being used to spy on users’ screens, collect unauthorized information, and deny refunds.”
