Avast is actively protecting its users from the campaign and has protected more than 10,000 users from the scam in August.
A crypto investment scam is circulating on Facebook and in people’s inboxes across Europe, Canada, and Australia. The scam encourages people to pay to create an account and invest into a fraudulent crypto investment platform.
There are two ways the campaign reaches potential victims: Through Facebook ads and email. Ultimately, victims can end up losing at least $250.
Avast is actively protecting its users from the campaign and has protected more than 10,000 users from the scam in August. The countries we have protected the most users from is Czech Republic, followed by Hungary, Greece, Poland, Romania, Turkey, Switzerland, Slovakia, Italy, Canada, and Australia.
A breakdown of Avast users protected from this scam during August 2022.
Let’s take a closer look at the two attack vectors utilized by this scam.
Facebook ads leading to too-good-to-be-true offers
The Facebook ads used in this threat redirect potential victims to a site designed to look like a local news site, depending on where the victim is accessing the site from. The article displayed on the site describes a cryptocurrency platform launched by Tesla known as TeslaCoin (localized versions of the article refer to these as BitiCodes, or BitCode Prime) to help families get rich. At the bottom of the page is a webform requesting site visitors to enter their name, email address, and phone number in order to register for the platform. The victim receives an email from a bot sparking a conversation in the victim’s language.
Emails promising riches
In other cases, emails are sent directly to potential victims, promising to earn investors $600 with an initial deposit of $100. A PDF is attached to the emails, with messages either promoting Elon Musk’s fake investment platform or including an invite to an unspecified “community” that includes a photo of Melinda and Bill Gates on the advertisement. These PDFs link to the news sites described above.
Bots attempt to convince people to hand over their money
There are a number of ways that bots try to convince people to invest in this scam. After a brief example exchange, the bot sends a link to a payment gateway, and asks the victim to transfer $250 in order to activate their trading account. Another scenario involves the bot emailing potential victims with steps to login to a cryptocurrency broker page, and after a few more emails, the bot sends a link to a payment gateway, asking the victim for a $250 initial investment. We have also seen the bots proactively email potential victims promising them earnings upwards of $600 a day if they pay an initial fee of $100.
European working hours
The campaign is active during the Central European Time zone’s working hours (between 7AM and 5PM CET), which leads us to suspect the people behind the campaign are located in Europe.
Playing hide-and-seek
The sites used in this campaign can detect if a VPN is being used to access the site, and if so, they display content from an eshop. The eshop doesn’t work, site visitors can browse products, but they can’t add them to their cart or make purchases. This is done to hide the scam page from unwanted access and as an attempt to evade phishing hunters and security software.
How you can protect yourself
- Use an antivirus: Avast protects users from this scam, blocking the emails and URLs used in this campaign.
- Carefully check URLs: The news sites people are redirected to in this campaign are designed to look like local news sites, but their URLs don’t match what’s on the page.
Be wary of offers that seem too good to be true: This scam, which promises to make people rich by earning them up to $600 a day from an initial investment of merely $100, is a perfect example of this.