Research Saturday 4.22.23
Ep 278 | 4.22.23

Don't let the Elon Musk crypto giveaway scam swindle you.


Dave Bittner: Hello, everyone and welcome to the CyberWire's Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Shiran Guez: The fact that it was still going on, that was what made us so surprised and, and have challenged us to, to look at it once more.

Dave Bittner: That's Shiran Guez. He's senior manager for information security at Akamai. The research we're discussing today is titled "Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful."

Shiran Guez: It's not very common to have a, a crypto scam or a scam that is being running for over five years.

Dave Bittner: Well, let's go through it together here. I mean, for folks who aren't familiar with how this scam works, can you walk us through it? How does it begin?

Shiran Guez: Yeah. OK. So, so it's actually beginning with a simple publication that, that is being running over either the Twitter or over even YouTube if we last saw the, the scams that, that were running there. Telegram channels, any social media that, that they -- that the threat actor kind of taps into. And it is often being triggered by some noticeable known, I would call it a celebrity, that, that is being talking about something that is related to crypto or even just talking about something that is putting the, the social public into the, the attention. That is kind of the trigger where the, the scammers are being tapping on and, and popping up all these kinds of social, social media publications around the crypto scam.

Dave Bittner: You know, I've been around long enough that I remember when these scams focused on Bill Gates. You know, you'd be on somewhere like Facebook or something like that and a message would pop up and it would say, "Hey, everybody, I'm Bill Gates and I'm giving away my fortune. And lucky you, you're going to get some." But -- so, the, the scam, it's kind of following the, the same model there. But is it fair to say that cryptocurrency has added fuel to the fire here?

Shiran Guez: Yeah, definitely, I do agree with, with that statement the -- that the crypto arena has been surging since at least 2000 -- 2018, crypto currencies like Dogecoin, Ethereum and even Bitcoin as the main driver have been surging in thousands of per- percentage. And since, since then, we have seen the rise of Dogecoin from 0.0 -- 0.5 to almost $1 which is thousands of percents over a very short periods of time. So, people have been jumping on the, what we call the, the FOMO kind of movement which is the fear of missing out. So, this was definitely a very big driver for people to, to have a life-changing kind of, kind of life changing success over using this kind of scams.

Dave Bittner: Yeah, it's interesting to me as you point out in the research here that it seems as though Elon Musk is the, the, the big lure in these, which I guess makes sense being known worldwide as a, a person with a lot of money and also someone interested in crypto. It was interesting to me that you all highlighted that not only do people pretend to be Elon Musk but there'll be a lot of scams where they sort of follow on to, to things that he might be publishing legitimately. That they'll, they'll find folks who are legitimate celebrities and they'll sort of tack on to what they're doing to try to draw attention and leech off of their audience that way.

Shiran Guez: Yeah, exactly. The -- we, we saw a lot of that kind of a, a methodology that they are using specially on Twitter where Elon Musk would tweet something around the Dogecoin or around cryptocurrency in general. And, and very soon after, you would see in the inner threads which, which are very, very noisy, you would see such messages that lure the crowd or lure the victims into, into tapping into the, the campaign publishing, "Hey, and I would give away this, this and that amount of money, just give me X and I will give you 2x or 10x," or whatever that, that the scammer has brought up.

Dave Bittner: The research digs into some of the scam kits that are out there, ways that folks can get into this business. Can you take us through that component of this? How, how does that work?

Shiran Guez: So, yeah, the, the, the kits themselves that, that we have investigated have been surprisingly very basic, very non-sophisticated. They are using simple HTML and JavaScript into the, into the, the kits which are very common, you know, languages for a, for web developers. They use widgets. This is kind of the, the what gives them more authenticity or more look and feel that, that victims would fall for using widgets that are related to support like the smart support live chat where they are actually responding to, to support questions. If you would ask them, "Hey, how do I gain access to, to that, to that giveaway," or, "How do I gain money by, by simply sending you x and you would send me 10x," or something like that, then they, they would respond. They would -- sometimes maybe not immediately but they would respond and they would try to convince you that this is a legitimate giveaway that Elon Musk is behind it or the other -- or any other celebrity that is on that phishing kit. They would definitely be giving you the look and feel that this is a legitimate giveaway.

Dave Bittner: Let's go through some of the technical elements here that you all have shared in the research here. What, what are, what are some of the interesting things going on under the hood behind the scenes?

Shiran Guez: So, so the, the most interesting I think is the way that they are presenting it. Its look -- it, it is looking very professional kit. It is looking very smooth and, and slick kit or a website. It has all the attributes to present it as a legitimate site. It has widgets that are showing the current status of the crypto market. The widget is connected to the actual crypto exchange. So, it would show live, live parameters from the actual crypto exchange. So, so if you would go to ano- another market or check the validity of what they are presenting, it seems very valid, it seems very legitimate. They would show you kind of there is a JavaScript in behind the scenes that is refreshing always the transactions. So, it will, it will seems like there are a lot of transactions that are happening. So, you would be kind of in a fear of -- like, like we mentioned, the FOMO, the fear of missing out, you would fear of miss out on the giveaway because the, the transactions are always kind of reducing the amount of the giveaway that the, the final giveaway some. So, this kind of around the look and feel. Some of the kids that we have seen have been also tracking the victim source meaning whoever tried to access the, the site, that information was collected and sent to a telegram of the attacker, a telegram group of the attacker. It was not on all the kits that, that we've seen but, but in some, it, it, it was also presented there. And from what we have seen, the group, the telegram group that it was sent to, the, the message was sent basica- basically in like a really clear language in Russian language. That kind of also gave us some hints about potentially who could be maybe the attacker.

Dave Bittner: Well, let's talk about ways to prevent this. So, what are your recommendations for folks to best protect themselves?

Shiran Guez: That- that's a great question. So, so, so first, I, I would say, first and almost the bottom line, there are no free gif- gifts. No one is going to give you money back for any sum of money that you would give. There is no such no such, no such kind of magic of getting, getting back the money. I would say that if you are totally convinced that this is legitimate, I would definitely go and validate, go and validate the source basically, try to talk with the person. But, but this is something that definitely you should not, you should not expect to see money back on your, on your -- if you're sending any money to the, to the attacker. Not, not related to the stamping. Any- anytime that you are sending money to anyone, it, it should be as a consequence of you're getting a service, you are paying for a product. And you should always verify who, who you are paying to. The- there is no way around it. You should do your due diligence, your research about the person that you are paying the money. But for that scam specifically. I would say don't that there is no, there is no way free gifts for, for, for, for that.

Dave Bittner: Yeah. I, I think it's worth, you know, mentioning that I, I, I suspect for our audience, they probably consider themselves fairly sophisticated and, and wouldn't imagine falling for this sort of thing. But that's not necessarily true of our friends and family. And so, I think it's important for those of us who have that level of sophistication to be sure to get out there and spread the word about this sort of thing. Because as you mentioned, you know, this has been around for a while. It's evolved some which is what you all are tracking here but it stays around because it works.

Shiran Guez: Exactly. The, the scam is very easy, right? It's, it's they are, they are simply releasing kits everywhere that they are sending like a, a net and then -- and luring the fishes into the net. That that's a, that's a very, you know, easy scam from, from their side and very lucrative. We see that -- initially when, when that phishing campaign started, they asked for a specific amount and they said that they are going to return your specific amount. But over time, they'd said, "Wait, I don't need a specific amount. Send any amount and I will send you double." And, and basically -- and, and, and you can see that, that people are, are -- people that, that are not aware are trying. They're -- they are, they are trying -- they are sending like small amounts. There are people that are falling with large amounts and, and this is very, you know, unfortunate. But, but overall, you, you would see that there are a lot of transactions that, that are happening with these scammers because people are unaware. That- that's the most concerning part.

Dave Bittner: Our thanks to Shiran Guez from Akamai for joining us. The research is titled "Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful." We'll have a link in the show notes. The CyberWire Research Saturday podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Ervin and senior producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.