Cybersecurity researchers are calling attention to a new kind of investment scam that leverages a combination of social media malvertising, company-branded posts, and artificial intelligence (AI) powered video testimonials featuring famous personalities, ultimately leading to financial and data loss.
“The main goal of the fraudsters is to lead victims to phishing websites and forms that harvest their personal information,” ESET noted in its H2 2024 Threat Report shared with The Hacker News.
The Slovak cybersecurity company is tracking the threat under the name Nomani, a play on the phrase “no money.” It said the scam grew by over 335% between H1 and H2 2024, with more than 100 new URLs detected daily on average between May and November 2024.
The attacks play out through fraudulent ads on social media platforms, in several cases targeting people who have previously been scammed by making use of Europol- and INTERPOL-related lures about contacting them for help or getting their stolen money refunded by clicking on a link.
These ads are published from a mix of fake and stolen legitimate profiles associated with small businesses, governmental entities, and micro-influencers with tens of thousands of followers. Other distribution channels include sharing these posts on Messenger and Threads, as well as sharing deceptively positive reviews on Google.
“Another large group of accounts frequently spreading Nomani ads are newly created profiles with easy-to-forget names, a handful of followers, and very few posts,” ESET pointed out.
The websites these links direct to have been found to request for their contact information and visually imitate local news media; abuse logos and branding of specific organizations; or claim to advertise cryptocurrency management solutions with ever-changing names such as Quantum Bumex, Immediate Mator, or Bitcoin Trader.
In the next step, cybercriminals use the data gathered from the phishing domains to directly call the victims and manipulate them into investing their money into non-existent investment products that falsely show phenomenal gains. In some cases, victims are duped into taking out loans or installing remote access apps on their devices.
“When these victim ‘investors’ request payout of the promised profits, the scammers force them to pay additional fees and to provide further personal information such as ID and credit card information,” ESET said. “In the end, the fraudsters take both the money and data and disappear – following the typical pig butchering scam.”
There is evidence to suggest that Nomani is the work of Russian-speaking threat actors given the presence of source code comments in Cyrillic and the use of Yandex tools for visitor tracking.
Similar to major scam operations like Telekopye, it’s suspected that there are different groups who are in charge of managing each and every aspect of the attack chain: Theft, creation, and abuse of Meta accounts and ads, building the phishing infrastructure, and running the call centers.
“By using social engineering techniques and building trust with the victims, scammers often outmaneuver even the authorization mechanisms and verification phone calls the banks use to prevent fraud,” ESET said.
The development comes as South Korean law enforcement agencies said it took down a large-scale fraud network that defrauded nearly $6.3 million from victims with fake online trading platforms as part of an operation called MIDAS. More than 20 servers utilized by the fraud ring have been seized and 32 people involved in the scheme have been arrested.
Besides luring victims with SMS and phone calls, users of the illicit home trading system (HTS) programs were enticed into investing their funds by watching YouTube videos and joining KakaoTalk chat rooms.
“The program communicates with the servers of real brokerage firms to get real-time stock price information, and uses publicly available chart libraries to create visual representations,” the Financial Security Institute (K-FSI) said in a presentation given at the Black Hat Europe conference last week.
“However, no actual stock trades are made. Rather, the program’s core feature, a screen capture function, is used to spy on users’ screens, collect unauthorized information, and refuse to return money.”
