Anatomy of an attack: Duping investors using WhatsApp ruse
As use grows, scammers impersonate popular apps to do their dirty work
By Roger Yu, ThirdCertainty
Core finding: Pumping up the price of a stock through lies and rumors is a scam as old as the market itself. And the Internet has emboldened stock hustlers to levels previously unseen. Press releases—touting a large acquisition bid or some technology breakthrough—get posted on fake news sites or dumped in mass emails. Stock discussion boards are rife with boastful claims of insider information. Unsolicited text messages prophesize about stocks ready to take a surprise hike.
Now, stock hucksters have figured out how to use a popular smartphone messaging app—WhatsApp—to manipulate the market.
On Aug. 21, tens of thousands of users of WhatsApp received spam that claimed that penny stock AVRA was poised for a spike. Shares of the bitcoin payment systems maker surged in the over-the-counter market—up 640 percent from its opening price of 17 cents at 9:30 a.m. to its peak of $1.26 at 11:03 a.m.—before day-traders realized the fraud. As the perpetrator presumably unloaded shares quickly, the share price reverted to pre-pump levels in less than two hours.
About $1.7 million worth of shares were traded during the 90-minute period, according to AdaptiveMobile, a mobile security firm that monitored the scam.
How the scam occurred: The spammer, whose origin is speculated but unknown, sent various versions of the same messages, touting a personal connection to an insider at a well-known investment bank. One message read: “Hi its ed at goldmansachs I hope the family is good. Listen my ‘guy’ just sent me a msg saying that AVRN is going to a dollar so if u wanna make a move and buyit u shuld do it now. Txt me later let me know how it goes.”
Distinctive technique: The WhatsApp case is notable because it is the first known instance of the pump-and-dump scheme migrating from text messaging and emails to apps. Spam sent across messaging apps like WhatsApp are more difficult for wireless carriers to identify and contain, says Cathal McDaid, head of the threat intelligence unit at AdaptiveMobile. To minimize traceability, the perps likely used a third-party message distribution firm in Russia, McDaid says.
Wider implications: That WhatsApp, owned by Facebook, largely has been devoid of spam likely moved some users to actually consider buying shares. But scams on messaging apps likely will proliferate as usage grows and consumers become more accustomed to ignoring junk on carrier-operated text messaging, McDaid says.
Excerpts from ThirdCertainty’s interview with McDaid (Answers edited for length and clarity.)
3C: How did AdaptiveMobile get involved in this?
McDaid: We’re a mobile security company and all of our customers are mobile carriers. We’ve managed to successfully stop a lot of these attacks on (text messaging). But these senders come under attack, and they still need to get their spam out.
3C: When did spam start migrating from text messaging to other apps?
McDaid: It’s been pretty obvious for some time in some countries, like India. But we’ve seen more of it in the U.S. since about a year ago. We’re seeing a lot of crossover in WhatsApp. Pump-and-dump scams aren’t common because they tend to generate a lot of publicity. But I think WhatsApp is going to experience more and more of these. A lot of carriers are tightening these attacks in (their text) messaging.
3C: Where did the attack originate?
McDaid: They used Russian numbers to send these messages. But I don’t think you can guarantee that’s the ultimate origin. It may be that they found a (third-party message) sender who’s willing to work with them. There’s an entire industry of people sending messages on behalf of (their customers). In India, there’s a large and thriving industry that advertises that they will send a large amount of messages for you on WhatsApp. So the ultimate origin, I’m not too sure.
3C: How many people received the message?
McDaid: We estimate “high tens of thousands to low hundreds of thousands.” (WhatsApp has about 900 million users). The conversion rate is small, so they do need a high volume event. About 5 million shares were traded. (On most days, AVR’s trade volume is typically fewer than 40,000.)
3C: How was the scam put together?
McDaid: They identify a stock that they believe they can influence. And they purchase some shares, probably several weeks before. And they try to figure out a way to pump the stock. They looked around and found a way to send a large amount of WhatsApp messages in a short period of time. They found some Russian sender who’s willing to accommodate them. They gave them a combination of messages and who they should target. As the share price increases, they sell off what they acquired and make a profit.
3C: Do you think the perpetrators can be found?
McDaid: You’d imagine that they tried to cover their tracks. This is a financial crime. And this will be investigated by the Securities and Exchange Commission.
3C: Can reporting the spam to WhatsApp minimize harm?
McDaid: Yes, you can report spam. But in this case, the spammers created groups, and they added you to the group. (Once the message is sent), they remove you from the group quickly. And you can’t report the spam (if you’re no longer in that group).
3C: Isolated case or tip of the iceberg?
McDaid: I think it’s safe to say more of these attacks are going to happen in WhatsApp. And some possible new types of attacks may migrate to WhatsApp. We’re also tracking Viber, another messaging app. They’re receiving a lot of complaints. You see a lot of fake goods, typical spamming. Some adult services. But there will be more sophisticated spam. When an app gets to be a certain size, they become attractive to criminals and spammers.
3C: What kind of new attacks do you anticipate in messaging apps?
McDaid: I expect we may see more sophisticated phishing attacks—efforts to access your bank account or other accounts.
3C: What’s the big takeaway?
McDaid: We’ve seen these types of attacks on text messaging and they’re crossing over. WhatsApp will try to improve their defenses. But the best recommendation I can make for them is to work with the industry to get more information to get ahead of these attacks.
More stories on app security:
Facebook, Yahoo ease-of-use apps may open new security holes
Cloud apps routinely expose sensitive data
As mobile banking explodes, financial institutions beef up app security