Source: KrebsOnSecurity
Fraudsters are increasingly exploiting legitimate Apple and Google services to forge notifications and deceive users. These attacks, commonly referred to as voice phishing or vishing, have resulted in millions of dollars in losses, with victims ranging from ordinary users to prominent investors. Investigations have revealed the meticulous organization of these schemes and the sophisticated technologies employed by the perpetrators.
One recent case involves a cryptocurrency investor named Tony, who lost over $4.7 million. The scammers contacted him via Google Assistant and sent fraudulent notifications from a forged google.com address. Subsequently, the cybercriminals triggered a Google Recovery Prompt, sending requests to all of the victim’s devices. The techniques proved so convincing that Tony did not immediately recognize the deception.
Similar tactics are used with Apple services. Fraudsters impersonate official Apple Support, spoofing the victim’s number, and send account verification notifications to all linked devices, further convincing the target of the legitimacy of the request.
In one instance, a victim received a text message containing account-related information, claiming that they were speaking with Apple Support. The message included a link to a website mimicking Apple’s iCloud login page (17505-apple[.]com). While the victim entered their password and one-time access code on the fake website, the attackers simultaneously gained access to the iCloud account through their control panel.
The investigation identified a group called Crypto Chameleon as being behind the attacks. This group uses advanced phishing panels that imitate login interfaces for platforms like Okta and offer tools to manage phishing campaigns. The group’s leader, known by the pseudonym Perm, rents out the phishing panel to other criminals, taking a 10% cut of the stolen funds.
Each attack is meticulously orchestrated, with specific roles assigned to participants:
- Panel Operator: Manages the technical aspects of the attack.
- Caller: Persuades the victim over the phone.
- Drainer: Extracts funds from the compromised accounts.
- Phishing Panel Owner: Often listens to and participates in fraudulent calls.
To increase their chances of success, these phishing groups leverage leaked data from cryptocurrency services and automated tools to assess the financial viability of their targets.
Not just investors but also high-profile individuals have fallen victim to these schemes. In June 2024, billionaire Mark Cuban lost approximately $43,000 in a similar attack. During the filming of a television show, scammers exploited his momentary inattention to access his Google account and uncover seed phrases for his cryptocurrency wallets in his email.
The fraudsters are active on platforms like Telegram and Discord, where they recruit new members and share social engineering tactics. To demonstrate their “reliability,” they showcase fabricated proof of large cryptocurrency holdings. However, phishing communities often collapse due to internal conflicts and mutual betrayals. Despite this, the ecosystem remains resilient due to the continuous recruitment of newcomers.
Experts warn that the cornerstone of these schemes is the trust users place in official notifications and services. Both Apple and Google emphasize that they never request passwords, one-time codes, or other confidential information. If a user receives an unexpected call or message, it is always safer to verify the information independently, avoiding links or entering data on suspicious websites.
