Romeo is Not on the Internet

8592620480?profile=RESIZE_400xThe age-old trick of romance scams remains real and is getting worse.  The number of people being targeted by fake relationship-seekers has drastically spiked during the COVID-19 pandemic.  Why? People are lonely and clever criminals play on this new phenomenon.  Romance scams remain the most successful fraud strategy for cybercriminals and represent a growing arena of opportunity; this according to the Federal Trade Commission. During 2020, romance schemes accounted for a record $304 million raked into illicit coffers, according to new data, an increase of about 50 percent from 2019.[1]

These ploys typically start with an online connection that turns into daily communications; the scammer then carefully crafts a ‘relationship,’ with the victim living in a far-off country, then asked for money – for a myriad of reasons.  A love-struck victim then sends funds in the form of a gift card (this payment type was up 80 percent in 2020, the FTC found) or a direct wire transfer.  “Sooner or later, these scammers always ask for money,” the FTC said in a recent notice.  The crook might say it is for a phone card to keep chatting. Or they might claim it is for a medical emergency, with COVID-19 often used to play on sympathies.  The reasons for money are limitless and can create a sense of urgency that pushes people to send money over and over again.  Actually, kinda sad.    

Romance scams have flourished during the COVID-19 pandemic due to a wider pool of targets.  More people are turning to virtual ways of connecting and are using social media and online dating apps more.[2]  “Scammers fabricate attractive online profiles to draw people in, often lifting pictures from the web and using made-up names,” according to the FTC. “Some go a step further and assume the identities of real people.  Once they make online contact, they make up reasons not to meet in person.  The pandemic has both made that easier and inspired new twists to their stories, with many people reporting that their so-called suitor claimed to be unable to travel because of the pandemic.  Some scammers have reportedly even canceled first date plans due to a supposed positive COVID-19 test.”

Another aspect of romance fraud involves victims being unwittingly used for money laundering.  “People believe their new partner has actually sent them a large sum of money,” according to the FTC notice. “Scammers claim to have sent money for a cooked-up reason, and then have a detailed story about why the money needs to be sent back to them or on to someone else.  People think they are helping someone they care about, but they may actually be laundering stolen funds.  In fact, many reported that the money they received and forwarded on turned out to be stolen unemployment benefits.”

In 2020, the median dollar loss for individual victims was around $2,500, which is more than 10 times the median loss across all other fraud types, the FTC said. That is the highest losses have ever been, according to the FTC, but romance fraud has been on the rise for a while.  From 2016 to 2020, total dollar losses increased more than fourfold, and the number of reports to the FTC nearly tripled.

The victim actually varies by age group.  The FTC, people ages 20 to 29 saw the largest increase in targeting, with the number of reports more than doubling since 2019. People ages 40 to 69 were the most likely to report losing money, however. And people 70 and older reported the highest individual median losses at $9,475.

Several years ago, Red Sky Alliance helped a jilted romance victim who was scammed out of several thousands of dollars to a fake US serviceman she fell for over the Internet.  Unfortunately - the money was gone.  But our analysts were able to contact the real serviceman and alert him to the use of his social media presence. 

Romance has long been a popular theme for cybercrime.  Ahead of this past Valentine’s Day, a campaign using fake “recent order” email confirmations for flowers or lingerie began circulating.  These emails are actually part of a spear-phishing attack, which ultimately leads recipients to a malicious document that executes the BazaLoader malware.  BazarBackdoor is a new malware with the ability to install various types of malicious programs on the infected computers.  It is believed to be created by the developers of the TrickBot Trojan, a banking Trojan infecting Windows machines. This is because BazarBackdoor exhibits code and other similarities with TrickBot Trojan.

BazarBackdoor spreads itself through phishing messages purporting to be from legitimate senders.  For example, the messages may include COVID-19-related payroll reports and lists of terminated employees.  The potential victim needs to click on a link to documents that appear to be stored on Google Docs.  After clicking on that link, he or she will be redirected to customized landing pages appearing to be PDF, Word or Excel documents.

The landing pages ask the potential victim to click on a link to view the attachments. After clicking on the link, an executable file will be downloaded that relates to the name of the file appearing on the landing page.  For instance, a landing page regarding COVID-19 reports will trigger the download of the file “PreviewReport.Doc.exe”.  Since extensions of files stored on Windows computers are usually not displayed by default, most Windows users will see the stored file as “PreviewReport.Doc” instead of “PreviewReport.Doc.exe”.  The executable file, also known as BazaLoader, is a loader of a backdoor.

If the victim opens BazaLoader, it will be installed on the infected computer and remain inactive for a short time.  Next, it will connect to a command-and-control server with the aim to download a backdoor.  When the backdoor is installed, it will download and launch Cobalt Strike, a legitimate information security application.  Fraudsters often use cracked versions of Cobalt Strike to spread throughout a network, deploy malware and steal credentials.

The above risks and vulnerabilities of online dating scams are a real threat, especially due to many being forced into loneliness by lockdowns.  Many services provided by Red Sky Alliance can help prevent bad things from happening in a pro-active manner.  But in these cases, if something seems too good to be true, AND if a new foreign friend asks for money – immediately drop the communication and move on.  It is most likely a scam.  In addition to offering cyber protection, we offer cyber insurance through Cysurance.  Call for a quote.   

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/3702558539639477516

 

 

[1] https://threatpost.com/cybercrooks-304m-romance-scams/163972/

[2] https://www.consumer.ftc.gov/articles/what-you-need-know-about-romance-scams

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!