Fraudsters have donned the identities of legitimate US financial advisers in an effort to gain the trust of victims, before recommending fraudulent financial investments.
According to threat intelligence service DomainTools, the con artists, most of whom appear to be located in West Africa, have advertised on popular social media platforms, including TikTok, using the information of actual financial advisers, copying personal biographical information and work details.
Their goal is to gain the confidence of their victims using messaging applications and email, and then convincing the individuals to invest in fraudulent cryptocurrency schemes. To date, the fraudsters have successfully stolen millions of dollars, according to a DomainTools research note.
In the end, there are two types of victims in this fraud campaign, says Sean McNee, CTO of DomainTools.
"Obviously the first are the consumers who are tricked into investing their money — often in the millions — then losing it through cryptocurrency and other investment scams," he says. "The second are the financial advisers, whose professional identities are being brazenly impersonated, putting their reputations and credibility at stake, not only today but for future business relationships as well."
Fraud strategies that exploit an existing relationship by stealing someone's identity or that create a new relationship are often the most effective types of crime. Business email compromise (BEC), for example, where the cybercriminal poses as a business executive or a vendor, usually tops the list of damaging cybercrimes, doubling its share of the cybercrime ecosystem last year. The attacks also accounted for $2.4 billion of the losses tallied by the FBI's Internet Crime Complaint Center (IC3) in 2021, or about a third of the $6.9 billion in losses tracked by the agency.
DomainTools also verified that the fraudsters seemingly understood the often-impenetrable subject of personal finance.
"Financial advisor impersonation is straightforward conceptually, but simplicity in subject belies complexity in practice," the company stated in its advisory. "Financial impersonation scams require careful, layered deception involving significant interaction with a target to succeed. To that point, engagements as prospective clients with several financial advisor impersonators suggest they possess a competent understanding of financial markets."
A Form of "Pig Butchering"
DomainTools called the investment scam a variant of "pig butchering" — the latest term for a romance scam that essentially "fattens up" a victim by creating trust through a relationship, which then ends in financial fraud — the "butchering" part. The fraudsters used the identities of several hundred financial advisers, deploying a fake website on a custom domains for each identity and using known social media networks to communicate with victims, DomainTools stated.
"While many of these instances start through establishing a relationship — whether romantic, or just friendly — this is the first time we’ve seen such an extensive campaign to build trust with — fake — professional financial advisers," McNee says. "Through our research, we were able to ascertain that the threat actors impersonating the financial advisers showed quite a surprisingly high level of financial expertise, and so were convincing to their victims."
The details used to impersonate financial advisers appear to have been scraped from regulatory filings posted to Financial Industry Regulatory Authority's (FINRA) BrokerCheck and the Securities and Exchange Commission's (SEC) Investment Adviser Public Disclosure sites.
"These scams rely on slowly building trust with a target — often under the guise of a financial advisor or successful investor — in order to convince targets to invest in a scam, such as a cryptocurrency 'investment,' in which their funds are promptly stolen and rendered nearly impossible to recover," DomainTools stated in its research note.
Supported by Bulletproof Hosting Service
The campaign is not just reliant on knowledgeable fraudsters for its success. The scam is also supported by a bulletproof hosting service known as SpeedHost247, DomainTools stated. Serving a wide variety of criminal enterprises, bulletproof-hosting services are a common cybercriminal service that ignores requests for takedowns, uses difficult-to-disrupt cloud architectures, and accepts cryptocurrency to obscure financial transactions.
The cluster of financial fraud activities tracked by DomainTools appears to "share orbits" with SpeedHost247, which operates out of West Africa, the company's researchers stated. SpeedHost247 has donned the mantle of a legitimate service, showing office buildings and spaces on its website. In reality, the images are modified pictures from other companies' sites, according to DomainTools' analysis.
"Whether SpeedHost247 is an active participant in financial advisor impersonation scams remains an open question," DomainTools stated in the analysis, "but their seeming willingness to accommodate dubious customers who are offering even more dubious financial services using false information, is reason for pause."