Avast is actively protecting its users from the campaign and has protected more than 10,000 users from the scam in August.
A crypto investment scam is circulating on Facebook and in people’s inboxes across Europe, Canada, and Australia. The scam encourages people to pay to create an account and invest into a fraudulent crypto investment platform.
There are two ways the campaign reaches potential victims: Through Facebook ads and email. Ultimately, victims can end up losing at least $250.
Avast is actively protecting its users from the campaign and has protected more than 10,000 users from the scam in August. The countries we have protected the most users from is Czech Republic, followed by Hungary, Greece, Poland, Romania, Turkey, Switzerland, Slovakia, Italy, Canada, and Australia.
A breakdown of Avast users protected from this scam during August 2022.
Let’s take a closer look at the two attack vectors utilized by this scam.
The Facebook ads used in this threat redirect potential victims to a site designed to look like a local news site, depending on where the victim is accessing the site from. The article displayed on the site describes a cryptocurrency platform launched by Tesla known as TeslaCoin (localized versions of the article refer to these as BitiCodes, or BitCode Prime) to help families get rich. At the bottom of the page is a webform requesting site visitors to enter their name, email address, and phone number in order to register for the platform. The victim receives an email from a bot sparking a conversation in the victim’s language.
In other cases, emails are sent directly to potential victims, promising to earn investors $600 with an initial deposit of $100. A PDF is attached to the emails, with messages either promoting Elon Musk’s fake investment platform or including an invite to an unspecified “community” that includes a photo of Melinda and Bill Gates on the advertisement. These PDFs link to the news sites described above.
There are a number of ways that bots try to convince people to invest in this scam. After a brief example exchange, the bot sends a link to a payment gateway, and asks the victim to transfer $250 in order to activate their trading account. Another scenario involves the bot emailing potential victims with steps to login to a cryptocurrency broker page, and after a few more emails, the bot sends a link to a payment gateway, asking the victim for a $250 initial investment. We have also seen the bots proactively email potential victims promising them earnings upwards of $600 a day if they pay an initial fee of $100.
The campaign is active during the Central European Time zone’s working hours (between 7AM and 5PM CET), which leads us to suspect the people behind the campaign are located in Europe.
The sites used in this campaign can detect if a VPN is being used to access the site, and if so, they display content from an eshop. The eshop doesn’t work, site visitors can browse products, but they can’t add them to their cart or make purchases. This is done to hide the scam page from unwanted access and as an attempt to evade phishing hunters and security software.
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.
Avast has three major 2023 predictions: Ransomware will become an increasingly serious problem, scams will continue to be a favorite method for cybercriminals, and cybercrime as a business will become even more sophisticated.
Businesses can protect their sites from DDoS attacks with specialized software and cloud protection, while consumers can prevent their devices from being used as part of a botnet by using reliable antivirus software.