{"id":21360,"date":"2023-02-28T05:20:55","date_gmt":"2023-02-28T13:20:55","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/02\/28\/news-15091\/"},"modified":"2023-02-28T05:20:55","modified_gmt":"2023-02-28T13:20:55","slug":"news-15091","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/02\/28\/news-15091\/","title":{"rendered":"Sour Grapes: stomping on a Cambodia-based \u201cpig butchering\u201d scam"},"content":{"rendered":"

Credit to Author: gallagherseanm| Date: Tue, 28 Feb 2023 11:00:10 +0000<\/strong><\/p>\n

\n

The success of \u201cpig butchering\u201d (sha zhu pan, \u6740\u732a\u76d8) scams has driven the expansion of their hunt for new victims, both by well-established and well-organized scam rings and by smaller and less professional copycats. In the fake gold trading scam I discussed in my last report<\/a>, for example, initial contact of victims was made through Twitter. Others we\u2019ve seen have used Facebook Messenger for their initial approach, or other social media and messaging apps. And several others I\u2019ve encountered\u2014including the one detailed in this report\u2014have reached out with a lure message over Apple\u2019s iMessage or other digital channels for Short Message Service (SMS) texts.<\/p>\n

These texts, which are usually designed to look like accidental mis-texts, are really designed to allow the scammers to spam large numbers of potential victims and then selectively engage those who text back. From there, they attempt to engage in casual conversation, and then suggest that the digital meet-cute is a sign that they are \u201cfated to be friends.\u201d From there, the scam follows a familiar pattern\u2014moving the target to another messaging platform for easier engagement while freeing up the text account to approach additional victims or be shut down while another number is set up.<\/p>\n

As I discussed in our previous report, I received a deliberately mis-addressed text message on one of my phones that led me into an engagement with the scam ring (which I have designated as \u201cSour Grapes\u201d for reasons that will soon become apparent), with a young Malaysian woman acting as the face of the scam and occasionally directly interacting with me.<\/p>\n

From the data I was able to gather during the interaction, I determined that the ring she was working for had gathered over $3 million US in cryptocurrency over a 5-month period\u2014and that it was one of hundreds of nearly identical scam operations using similar lures and nearly identical websites and apps. While we were unable to gather full wallet data associated with these other fake trading and liquidity mining apps, we assume the overall take of this ring is much larger.<\/p>\n

As we were preparing this report, my colleague Jagadeesh Chandaraiah got a message from an individual in the US who had received an almost identical set of communications\u2014only in his case, the woman was Vietnamese, and the scam was focused on \u201ccontract mining\u201d\u2014another name for liquidity mining.<\/a>\u00a0 We uncovered a number of fake decentralized finance apps purporting to be for liquidity mining among the other sites using similar domains and infrastructure to the Sour Grapes scam.<\/p>\n

This type of lure is particularly popular with Chinese organized crime operations working out of countries in Southeast Asia. Several of these operations have been identified by previous reporting as being based in Special Economic Zones (SEZs) in Cambodia (where this scam\u2019s human operations were based), Myanmar, \u00a0Laos, and other countries.<\/p>\n

\"Diagram<\/a>
Fig 1: A representation of the organizational structure of the \u201cSour Grapes\u201d “pig butchering” scam ring, based on collected data and previous research.<\/figcaption><\/figure>\n

The teams running these scams include a young man or woman acting as the face of the scam, keyboarders who keep the victim engaged, and a team generating and repurposing media content to help fill the message exchanges with targets with fabricated proof of their backstory. They may also abuse mapping services to make it appear their persona is where and who they claim to be.<\/p>\n

It is the long duration and complexity of the communications these scam rings engage in that makes them particularly convincing to even some more skeptical targets. In this case, the scammers made first contact with me on October 31, and messaged me multiple times a day all the way through December to get me to enroll in their fraudulent cryptocurrency trading scheme. During that period, I was able to identify much of their infrastructure, including wallet addresses and web resources used by the scheme and fake applications for both iOS and Android, and share them with other organizations; twice, the scammers were forced to change wallet addresses, and they had to change domains for their websites while still trying to convince me of their legitimacy.<\/p>\n

Several things stood out about this group. First, it was clear that the group had taken pains to build a somewhat credible backstory for their persona, on the level we have seen from Facebook-based scams. The woman who was the face of the scam was actively involved in it, and made several video calls to ensure that I was going to take the bait. And while not as sophisticated as some of the other groups we\u2019ve encountered from a technical perspective, the scammers were able to quickly respond to takedowns of their infrastructure.<\/p>\n

But it was also clear that multiple people were involved in maintaining contact with me, and had limited knowledge of operational security techniques or even the culture of the country they were claiming to live in. \u00a0If these organizations start learning how to create more consistent, locale-specific technology footprints\u2014and do more thorough coaching of their front-line texting operatives\u2014then these scams could become much more convincing and catch even more victims with their lures.\u00a0 Education on the scope of these scams remains the best defense against them.<\/p>\n

All trick, no treat<\/h3>\n

On October 31, I received a random text message on one of my phones: \u201cHi Jane are you still in Boston?\u201d<\/p>\n

\"screen<\/a>
Figure 2: A screen shot of my initial conversation with \u201cHarley\u201d.\u00a0 My Chinese reply,\u201d ni hao ma?\u201d (how are you) is ignored.<\/figcaption><\/figure>\n

 <\/p>\n

That was the first message I received from \u201cHarley,\u201d the persona associated with this scam attempt. The message came from a number associated with Sinch Voice, a Sweden-based VoIP provider, linked to a Louisiana phone number. \u00a0\u201cHarley\u201d claimed be in Vancouver, British Columbia.<\/p>\n

As with the previous “pig butchering” scam I detailed, I was honest about my line of work: I told Harley that I worked in cybersecurity. This did not seem to matter as much as my age and whether I was alone. I provided the answers the scammers wanted to hear (over 50, living alone), and Harley eagerly continued the conversation, sending a photo of herself standing next to an elaborate bar. As I would learn from later video interaction, the person in the photo was an active member of the scam team as well as its face.<\/p>\n

\"\"<\/a>
Figure 3. The photo sent by \u201cHarley\u201d via text message.<\/figcaption><\/figure>\n

Later photoanalysis and research revealed that this was a photo from a hotel bar in Phnom Penh<\/a>.<\/p>\n

The written English in the texts was clumsy in places, and probably run through computer translation in places \u2013 as in when the person behind the texts asked, \u201cdo you sing telegram?\u201d when they were trying to move the conversation over to that messaging service. The Telegram account used by \u201cHarley\u201d was associated with a number from a UK mobile carrier (EE Ltd.).<\/p>\n

While this detail was shared with the previous scam I researched, there was a significant difference in the interactions once we got to Telegram. Harley came with a very rich backstory: she claimed to run a wine business in Vancouver (giving the name of a specific British Columbia winery), and said that her family was originally from Malaysia. \u00a0She also set up an emotional appeal, telling of how her husband, who used her father\u2019s help to start his own \u201cwine factory,\u201d cheated on her and left her while she was pregnant with their child. This included a story of how she got a hotel employee to give her a key to the room he was meeting his mistress in:<\/p>\n

\"Figure<\/a>Figure 4: Part of Harley\u2019s backstory.<\/p>\n

Harley added that the business had struggled because of COVID-19. And of course, she was able to rescue her wine business with the help of her aunt, who taught her how to make money trading cryptocurrency.<\/p>\n

Harley (or the keyboarders operating on her behalf) also sent additional photos of cases of wine, videos of bottling operations, and other content intended to establish Harley as being in the \u201cgrape factory\u201d business. The photos, when analyzed carefully, told a different story, of course; the cases of wine she claimed were from her vineyard and the bottles on the line in her \u201cgrape factory\u201d were marked with the name of a French winery, and not the name of the winery she claimed to be connected to.<\/p>\n

\"Telegram<\/a>
Figure 5: the alleged Vancouver wine store that Harley claimed to own. The boxes tie it to a winery in France.<\/figcaption><\/figure>\n

There was some effort made to give this story a modicum of credibility. She gave the name of an actual British Columbia-based winery as her business, and a search for the store location she had given me resulted in a hit on Apple Maps\u2014a user-contributed location which, when checked with Google Street View, turned out to be a local office for the VoIP provider Telus. The location is marked by Apple as \u201cpermanently closed\u201d now.<\/p>\n

\"Screen<\/a>
Figure 6: A screenshot of the Apple Maps location returned by a web search; the address is a Telus office.<\/figcaption><\/figure>\n

 <\/p>\n

Harley claimed to have two of these shops in Vancouver and said she was planning to open one in New York, \u201cbut my business is costing me a lot of money because of COVID-19, About $1 million, but I recovered a lot by investing in cryptocurrencies and early real estate.\u201d<\/p>\n

And thus crypto began to work its way into the conversation.<\/p>\n

The next day, the person behind Harley\u2019s keyboard told me she was headed out to pay employees at \u201cthe grape factory.\u201d \u00a0A video of Harley on a treadmill holding up her phone for a selfie and saying \u201cI\u2019m working out\u201d was supplied to validate her claim of hitting the gym.<\/p>\n

\"A<\/a>
Figure 7: Heading to the grape factory.<\/figcaption><\/figure>\n

I asked her to send pictures, hoping for exterior shots of her claimed winery (or \u201cgrape factory\u201d), but instead she sent a video taken from a French winery\u2019s website of a bottling line in operation, the labels of the bottles plainly visible. Then she added a photo from inside her \u201cworkshop,\u201d showing her in front of a glass storage case filled with bottles with Chinese labels.<\/p>\n

\"A<\/a>
Figure 8: the bottling line video and another photo purported to be from the \u201cgrape factory\u201d, which then became \u201cwine production workshop.\u201d The video is from a French bottling operation.<\/figcaption><\/figure>\n

There were also frequent hints at how well she was doing now: photos of her shopping hauls, of food she was preparing or had purchased, and of the cars she claimed to own (including a Ferrari).<\/p>\n

 <\/p>\n

\"Telegram<\/a>
Figure 9: Harley in a Ferrari in a basement garage. The Ferrari is just one of several luxury vehicles featured in photos sent by the scammers.<\/figcaption><\/figure>\n

\u00ad\u00ad\u00adThe Ferrari and other cars, along with photos of food and expensive consumer products, would be a major portion of the conversation over the next month. Harley also expounded on other personal matters, including how fragile she was emotionally because of her recent abandonment by her husband, and how her child with her ex-husband was being raised by her parents.<\/p>\n

\"Telegram<\/a>
Figure 10: The pitch for crypto trading is worked into a continuing stream of selfies. Despite being allegedly in Canada, Harley translated her \u201clocal\u201d weather to Fahrenheit for me.<\/figcaption><\/figure>\n

 <\/p>\n

By two weeks in, Harley was going deep into her fictional backstory of betrayal, retreat from the world, and eventual redemption through crypto trading under the guidance of her aunt. She also told me how I (her target) was her only male friend and confidante.\u00a0 \u201cSo I hope that every day in the future we can cherish everything and cherish each other! keep our friendship alive,\u201d she typed.<\/p>\n

 <\/p>\n

An invitation to visit came, as well as an invitation to spend time with her at her \u201cvilla\u201d in Miami.<\/p>\n

 <\/p>\n

\"Telegram<\/a>
Figure 11: Harley\u2019s \u201cMiami villa\u201d<\/figcaption><\/figure>\n

 <\/p>\n

But there were never any pictures of Harley outside. Other than the videos and photos sent showing her exercising, shopping, or getting into the Ferrari, all the photos of Harley were in the same room with paneling and acoustic tiles with no other features visible, or at a desk in what appeared to be a hotel business center or conference room. The gym photos appeared to be from a hotel workout room.<\/p>\n

The long chatting period was punctuated, of course, with comments about how she was making huge profits on short-term crypto trades.<\/p>\n

Trying to close the deal<\/h3>\n

 <\/p>\n

After nearly a month of this, I decided to accelerate the process, and mentioned to Harley that I was curious about how she was making so much money. Harley said her aunt had taught her to do this, and that she could share the same market intelligence her aunt apparently gave her.<\/p>\n

\"\"<\/a>
Figure 12: I finally take the bait.<\/figcaption><\/figure>\n

First, she said, I needed to buy some cryptocurrency with a Crypto.com wallet. This scam specifically targeted Crypto.com, with Coinbase as a backup; they explicitly avoided the market giant Binance.<\/p>\n

\"Telegram<\/a>
Figure 13: Crypto.com is the target of choice.<\/figcaption><\/figure>\n

To get started, Harley told me I needed at least $2000 USD:<\/p>\n

\"Telegram<\/a>
Figure 14: There\u2019s a $2,000 floor for this scam.<\/figcaption><\/figure>\n

I balked at this, and held off furthering the \u201clesson\u201d until after Thanksgiving. However, I asked her if there were any other apps I needed, and she directed me to a download link to install apps\u2014either an Android application or a \u201cWebclip\u201d for iOS with a provisioning profile. Both used the logo and name of TradingView, the market charting app provider.<\/p>\n

From the web clip provisioning profile, I harvested the website being used to front the iOS version of the fake app. From the US, it resolved to an Amazon Web Services Cloudfront host. Passive DNS records also resolved the domain to a host in Hong Kong.<\/p>\n

To make sure I was actually going to pony up the $2000 worth of Tether cryptocurrency (USTD, a \u201cstablecoin\u201d closely pegged to the US dollar) that Harley suggested I needed for \u201clearning,\u201d she wanted to walk me through screenshots of the purchase. She also made a video call to me to make sure I was going to do it. I fabricated a screenshot of a Crypto.com wallet with 2,200 USDT in it to provide (from one with a balance of $2), and sent it along.<\/p>\n

 <\/p>\n

\"A<\/a>
Figure 15: I sent a forged Crypto.com wallet balance screen shot.<\/figcaption><\/figure>\n

 <\/p>\n

The app<\/h3>\n

Harley gave me a link to download an app for the next step (hxxps:\/\/www[.]tdvies[.]com\/download) . She followed up with instructions on how to deposit funds. \u00a0Since it was the Thanksgiving holiday, I applied the brakes a bit again on moving forward\u2014and began to do some technical analysis.<\/p>\n

The download site, purporting to be for an app from the trade charting software provider TradingView, had two buttons. The first was for an Android .APK file hosted on another site (hxxp:\/\/app[.]tdviewdn[.]vip). The second, for iOS, downloaded a mobile profile file for installing a \u201cweb clip\u201d application pointing to yet another site (hxxps:\/\/www[.]ksjbfs[.]vip).<\/p>\n

 <\/p>\n

Figure 16. The mobile profile downloaded by iOS to install the scammer\u2019s web clip.<\/p>\n

Figure 17 The URL serving up the web clip.<\/p>\n

The Android app and the web clip both functioned identically; they were tied to the same backend, so a username and password set on one worked on the other. The Android app made web calls to another site (hxxps:\/\/www[.]gefwts[.]vip), which provided a set of web service hooks.<\/p>\n