Anatomy of an attack: Duping investors using WhatsApp ruse

As use grows, scammers impersonate popular apps to do their dirty work

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

anatomy of attack series_Cathal McDaidCore find­ing: Pump­ing up the price of a stock through lies and rumors is a scam as old as the mar­ket itself. And the Inter­net has embold­ened stock hus­tlers to lev­els pre­vi­ous­ly unseen. Press releases—touting a large acqui­si­tion bid or some tech­nol­o­gy breakthrough—get post­ed on fake news sites or dumped in mass emails. Stock dis­cus­sion boards are rife with boast­ful claims of insid­er infor­ma­tion. Unso­licit­ed text mes­sages proph­e­size about stocks ready to take a sur­prise hike.

Now, stock huck­sters have fig­ured out how to use a pop­u­lar smart­phone mes­sag­ing app—WhatsApp—to manip­u­late the market.

On Aug. 21, tens of thou­sands of users of What­sApp received spam that claimed that pen­ny stock AVRA was poised for a spike. Shares of the bit­coin pay­ment sys­tems mak­er surged in the over-the-counter market—up 640 per­cent from its open­ing price of 17 cents at 9:30 a.m. to its peak of $1.26 at 11:03 a.m.—before day-traders real­ized the fraud. As the per­pe­tra­tor pre­sum­ably unloaded shares quick­ly, the share price revert­ed to pre-pump lev­els in less than two hours.

About $1.7 mil­lion worth of shares were trad­ed dur­ing the 90-minute peri­od, accord­ing to Adap­tive­Mo­bile, a mobile secu­ri­ty firm that mon­i­tored the scam.

How the scam occurred: The spam­mer, whose ori­gin is spec­u­lat­ed but unknown, sent var­i­ous ver­sions of the same mes­sages, tout­ing a per­son­al con­nec­tion to an insid­er at a well-known invest­ment bank. One mes­sage read: “Hi its ed at gold­mansachs I hope the fam­i­ly is good. Lis­ten my ‘guy’ just sent me a msg say­ing that AVRN is going to a dol­lar so if u wan­na make a move and buy­it u shuld do it now. Txt me lat­er let me know how it goes.”

More: Anato­my of an attack: Deploy­ing mil­i­tary tac­tics against a retailer

Dis­tinc­tive tech­nique: The What­sApp case is notable because it is the first known instance of the pump-and-dump scheme migrat­ing from text mes­sag­ing and emails to apps. Spam sent across mes­sag­ing apps like What­sApp are more dif­fi­cult for wire­less car­ri­ers to iden­ti­fy and con­tain, says Cathal McDaid, head of the threat intel­li­gence unit at Adap­tive­Mo­bile. To min­i­mize trace­abil­i­ty, the perps like­ly used a third-par­ty mes­sage dis­tri­b­u­tion firm in Rus­sia, McDaid says.

Wider impli­ca­tions: That What­sApp, owned by Face­book, large­ly has been devoid of spam like­ly moved some users to actu­al­ly con­sid­er buy­ing shares. But scams on mes­sag­ing apps like­ly will pro­lif­er­ate as usage grows and con­sumers become more accus­tomed to ignor­ing junk on car­ri­er-oper­at­ed text mes­sag­ing, McDaid says.

Excerpts from ThirdCertainty’s inter­view with McDaid (Answers edit­ed for length and clarity.)

3C: How did Adap­tive­Mo­bile get involved in this?

McDaid: We’re a mobile secu­ri­ty com­pa­ny and all of our cus­tomers are mobile car­ri­ers. We’ve man­aged to suc­cess­ful­ly stop a lot of these attacks on (text mes­sag­ing). But these senders come under attack, and they still need to get their spam out.

3C: When did spam start migrat­ing from text mes­sag­ing to oth­er apps?

McDaid: It’s been pret­ty obvi­ous for some time in some coun­tries, like India. But we’ve seen more of it in the U.S. since about a year ago. We’re see­ing a lot of crossover in What­sApp. Pump-and-dump scams aren’t com­mon because they tend to gen­er­ate a lot of pub­lic­i­ty. But I think What­sApp is going to expe­ri­ence more and more of these. A lot of car­ri­ers are tight­en­ing these attacks in (their text) messaging.

3C: Where did the attack originate? 

McDaid: They used Russ­ian num­bers to send these mes­sages. But I don’t think you can guar­an­tee that’s the ulti­mate ori­gin. It may be that they found a (third-par­ty mes­sage) sender who’s will­ing to work with them. There’s an entire indus­try of peo­ple send­ing mes­sages on behalf of (their cus­tomers). In India, there’s a large and thriv­ing indus­try that adver­tis­es that they will send a large amount of mes­sages for you on What­sApp. So the ulti­mate ori­gin, I’m not too sure.

3C: How many peo­ple received the message? 

McDaid: We esti­mate “high tens of thou­sands to low hun­dreds of thou­sands.” (What­sApp has about 900 mil­lion users). The con­ver­sion rate is small, so they do need a high vol­ume event. About 5 mil­lion shares were trad­ed. (On most days, AVR’s trade vol­ume is typ­i­cal­ly few­er than 40,000.)

3C: How was the scam put together?

McDaid: They iden­ti­fy a stock that they believe they can influ­ence. And they pur­chase some shares, prob­a­bly sev­er­al weeks before. And they try to fig­ure out a way to pump the stock. They looked around and found a way to send a large amount of What­sApp mes­sages in a short peri­od of time. They found some Russ­ian sender who’s will­ing to accom­mo­date them. They gave them a com­bi­na­tion of mes­sages and who they should tar­get. As the share price increas­es, they sell off what they acquired and make a profit.

3C: Do you think the per­pe­tra­tors can be found?

McDaid: You’d imag­ine that they tried to cov­er their tracks. This is a finan­cial crime. And this will be inves­ti­gat­ed by the Secu­ri­ties and Exchange Commission.

3C: Can report­ing the spam to What­sApp min­i­mize harm?

McDaid: Yes, you can report spam. But in this case, the spam­mers cre­at­ed groups, and they added you to the group. (Once the mes­sage is sent), they remove you from the group quick­ly. And you can’t report the spam (if you’re no longer in that group).

3C: Iso­lat­ed case or tip of the iceberg?

McDaid: I think it’s safe to say more of these attacks are going to hap­pen in What­sApp. And some pos­si­ble new types of attacks may migrate to What­sApp. We’re also track­ing Viber, anoth­er mes­sag­ing app. They’re receiv­ing a lot of com­plaints. You see a lot of fake goods, typ­i­cal spam­ming. Some adult ser­vices. But there will be more sophis­ti­cat­ed spam. When an app gets to be a cer­tain size, they become attrac­tive to crim­i­nals and spammers.

3C: What kind of new attacks do you antic­i­pate in mes­sag­ing apps?

McDaid: I expect we may see more sophis­ti­cat­ed phish­ing attacks—efforts to access your bank account or oth­er accounts.

3C: What’s the big takeaway?

McDaid: We’ve seen these types of attacks on text mes­sag­ing and they’re cross­ing over. What­sApp will try to improve their defens­es. But the best rec­om­men­da­tion I can make for them is to work with the indus­try to get more infor­ma­tion to get ahead of these attacks.

More sto­ries on app security:
Face­book, Yahoo ease-of-use apps may open new secu­ri­ty holes
Cloud apps rou­tine­ly expose sen­si­tive data
As mobile bank­ing explodes, finan­cial insti­tu­tions beef up app security

Posted in Data Breach, Featured Story