The interactions, known as “social engineering,” were relatively weak for a pig butchering scam, Gallagher says. The interactions were stilted, and even when the persona did things like sending flirty photos, the timing was always awkward and abrupt. At one point Gallagher told the actor that it was suspicious to bring up gold investments so early after first starting to talk to someone. “Haha, yes. Because I need to let you know what I am doing,” the persona replied.
Gallagher was surprised to find, though, that the scam’s tech was much more compelling. Pig butchering scams are known for using sleek, legitimate-looking financial applications and dashboards to put victims at ease and build trust when they are considering whether to put money into the scheme. Scammers are ultimately hoping to bleed targets dry, convincing them to transfer all their savings, loans they can take out, and any money they can borrow from friends and relatives, so compelling tech that includes things like real-time markets data makes it more likely that victims will have the feeling of using a reputable financial services app.
Gallagher found that the website the scammers were using to distribute their malicious apps was set up to impersonate a real Japanese financial company and had a .com domain. It was even visible on Google as one of the top results, Gallagher says, so victims could find it if they attempted to do some basic research. “To someone who isn’t particularly knowledgeable about these things, that part would be pretty convincing,” Gallagher says.
The attackers, who Sophos suspects are based in Hong Kong, developed Windows, Android, and iOS apps off of a legitimate trading service from a Russian software company. Known as MetaTrader 4, Sophos researchers have seen past examples of the platform being misused and abused for fraud. As part of joining the platform, victims had to disclose personal details including tax identification numbers and photos of government identification documents, then start moving cash into their account.
As is often the case in a wide range of scams, the attackers were distributing their iOS app using a compromised certificate for Apple’s enterprise device management program. Sophos researchers have recently found pig butchering-related apps that skirted Apple’s defenses to sneak into the company’s official App Store, though.
The second scam Gallagher followed appears to have been run by a Chinese crime syndicate out of Cambodia. The tech for the scheme was less sleek and impressive but still expansive. The group ran a fake Android and iOS cryptocurrency trading app that impersonated the legitimate market tracking service TradingView. But the scheme had a much more developed and sophisticated social engineering arm to lure victims in and make them feel like they had a real relationship with the scammer suggesting that they invest money.
“It starts off, ‘Hey Jane are you still in Boston?’ so I messaged back, ‘Sorry, wrong number,’ and we had a standard exchange from there,” Gallagher says. The conversation started on SMS and then moved to Telegram.