Author: Stelios Chatzistogias
Summary
This report describes a series of scam campaigns that we have been tracking, in which threat actors compromise social media accounts, redirect victims and solicit their contact information, and then attempt to convince them to deposit funds with fake trading companies. This series of campaigns uses a form of a celebrity endorsed scam, a method first seen in 2020,1 and uses a “Meta” coin theme. The campaigns stand out in terms of the media platforms the actors utilize as well as how they stage their attacks. Specifically, the campaigns use Facebook sponsored ads in combination with fake LinkedIn profiles and multiple domains with the same fake content translated into different languages.
Background
Remote working as a result of the global Covid-19 pandemic has significantly changed our daily routines. Many people now spend more time at home or connecting virtually through devices, and the amount of digital advertising conducted through social media platforms has increased to match this trend. All of this has led online fraudsters to take advantage of these changes. According to the Federal Trade Commission,2 the total dollar amount reported as lost to fraud from criminal actors using social media as the contact method in 2021 was $770 million, followed by the use of websites or apps at $554 million, and phone calls at $546 million.
Investment scams have evolved, and the actors have become more advanced in their tactics to convince victims to supply private information and credit card details. The scammers’ techniques can involve compromised social media accounts, redirects via multiple social media platforms, and short-lived, randomly generated domains for landing pages, as is the case with the campaigns we will describe in this report.
Campaigns Analysis
The “Meta” coin theme used in these campaigns intentionally conflates two separate services: Facebook’s Meta and Inblock’s Metacoin cryptocurrency. Mark Zuckerberg is rebranding Facebook to Meta3 as part of his strategy to create Metaverse: an AI and virtual reality platform. Separately, the founders of the Hong Kong–based company Inblock created Metacoin: a cryptocurrency that is based on hyperledger technology and that has improved security features based on IBM’s LinuxOne platform.4
Although Metacoin and the Meta services are not related, the scam campaigns in this report use the logo from Facebook’s Metaverse platform and the name Metacoin from Inblock’s cryptocurrency, likely in an attempt to make the delivered web content appear legitimate. The fake “Meta” coin campaigns have been initialized by a compromised Facebook account under the name SoulCircuit.5 SoulCircuit is actually a group that consists of two DJs/musicians: Tom Moore and Dan Timcke,6 from the UK.7 Their compromised Facebook profile page has almost 600K followers, and is being used to distribute scam-sponsored ads for the fake “Meta” coin cryptocurrency. Another interesting feature of the campaigns is that the attackers seem to be targeting people from specific countries, namely Greece, Italy, and Spain, based on the languages used in the campaigns and the use of pictures and names of actual prime ministers from those countries.
The campaigns consist of five stages. The actor uses different social media platforms to lure and then redirect the victim, eventually leading them to a short-lived domain that seems to be either fully or partially randomly generated. Once a user shows interest and supplies some initial information (name and mobile phone number), they are again redirected to fake trading websites that present requests for a deposit via a credit card or a transfer from other cryptocurrency accounts.
Figure 1: Stages of the attack
Stage 1: Sponsored Facebook Ads Through SoulCircuit’s Compromised Account
In the first stage of the attack, the actor places “Meta” coin ads on SoulCircuit’s Facebook main wall. The screenshot in Figure 2 below is from a campaign targeting Greek-speaking individuals or groups. Some of the obvious signs that the campaign is a scam is the fact that there is no punctuation in capital Greek letters. On the other hand, the fact that the account allegedly has a large number of followers (594k) can lead a user to believe this ad is legit. The image on the right-hand side of Figure 2 shows the caption’s text translated into English. Upon clicking the Learn more button, a user is redirected to a LinkedIn page, which we consider Stage 2.
 |
 |
| Original text (Greek) | Translated text (English) |
| Figure 2: Sponsored ad in original and English translated text | |
Stage 2 – LinkedIn Posts
Clicking the Learn More button opens a LinkedIn page that claims that this new cryptocurrency was invented by Meta and presents fake reviews on it (Figures 3 through 5 below), allegedly made by the Prime Minister of Greece Konstantinos Mitsotakis and other famous Greek individuals.
 |
 |
| Original text (Greek) | Translated text (English) |
| Figure 3: Fake article about “Meta” coin in Greek and English | |
 |
 |
| Original text (Greek) | Translated text (English) |
| Figure 4: Altered photo of the Greek Prime Minister with Mark Zukerberg | |
 |
 |
| Original text (Greek) | Translated text (English) |
| Figure 5: Unrelated photo of Yannis Stournaras: a Greek economist who has been the Governor of the Bank of Greece since June 2014 | |
The LinkedIn profile that posted the fake article about “Meta” coin belongs to a “Rachelle Young” (Figure 6 below), who appears to be a financial analyst from the U.S. State of Colorado and whose profile has more than 500 connections. The recent activity is relevant and of interest because the profile’s owner has posted the same article translated into the same three different languages.
Figure 6: A fake LinkedIn profile posting the same “Meta” coin article in multiple languages
The activity tab on her profile shows that this activity has been going on for weeks.
Figure 7: Continuous LinkedIn activity
The actor has posted articles in languages besides Greek and has used photos and stories tailored to those other countries. For example, the screenshots below show altered photos and narratives allegedly relating to Mario Draghi (an Italian public official) and Dietrich Mateschitz (an Austrian businessman).
 |
 |
| Figure 8: “Meta” coin scam campaign targeting Italy | Figure 9: “Meta” coin scam campaign targeting Germany |
Stage 3 – Landing Pages and Randomly Generated Domains
These fake news articles contain links to two different domains that have the same content, including design and graphs, but they are in two different languages, as shown in Figures 10 and 11 below.
Figure 10: Altered YouTube image that points to scam website
Figure 11: Altered YouTube image that points to scam website
The scam websites embedded in the code of the YouTube images above, are 365coinmode and 365graphiccoin. Both sites host the same page translated into different languages, which is shown in Figures 12 and 13 below. Following them, Figure 14 shows the English language version.
Figure 12: Landing page on 365coinmode[.]com, in Greek
Figure 13: Landing page on 365graphiccoin[.]com, in Italian
Figure 14: Landing page on 365graphiccoin[.]com, in English
Stage 4: Personal Information Gathering
The goal of this particular stage of the campaigns is not to steal any credit card details, but instead to have the victims complete a form with their names and phone numbers. The victims then get redirected to fake trading company websites, such as spartan-trade[.]com and networkfsi[.]com, which ask the victims to make financial deposits. Reports from Greece and the U.K. indicate that the actors use the contact information the victims provided to get in touch with them if they do not make the deposit as requested, in the next stage of the attack, described below.8,9 The scammers try to convince the victims that the campaign is being conducted by a legitimate investment company.
Original text (Greek)
Translated text (English)
Figure 15: A form for creating a fake account for “Meta” coin
Stage 5: Money theft
After providing personal details, a victim gets redirected to a fake but visually appealing website. In our tests, we were redirected to Spartan Trading, a fake trading website. It was registered on 5 July 2022 and contains the aforementioned deposit page where a victim is asked to choose an amount of money to deposit. As of this writing, the available payment options are cryptocurrencies and credit cards. The screenshots below illustrate how the cryptocurrency payment system works.
Figure 16: Fake trading website
 |
 |
 |
| Client portal landing page | Payment choices | Crypto wallet for depositing crypto |
| Figure 17: Deposit process for cryptocurrencies | ||
The screenshots in Figures 18 through 21 below show the credit card payment system on the scam website.
Figure 18: IpassPay option
Figure 19: Deposit page
Figure 20: Billing Info
Figure 21: Credit card detail request page
Domain Analysis
All domains that serve the landing pages are registered to Namecheap and resolve to the same IP address, 45[.]63[.]119[.]177, which belongs to Constant Company LLC: a hosting provider that offers global automated cloud infrastructure. In turn, Constant LLC is a parent company for Vultr, which happens to offer free $100 vouchers for using the platform. This arrangement is a springboard for attackers who have automation in place to deploy and set up scam domains and to operate them cost-free. The screenshots in Figures 22 and 23 below show the landing pages belonging to Constant and Vultr, that are used to advertise their automated cloud infrastructure and the $100 promotion for new users.
Figure 22: Constant LLC’s landing page
Figure 23: Vultr $100 promotional offering
Prevention and Mitigation
These malvertising scams have the following features in common:
- The name of the domain involved in a scam is irrelevant to the scam’s theme.
- The text of the initial advertisement on Facebook is automatically translated to several languages.
- Typos are easy to spot.
- The parties that own the LinkedIn profiles used in the scams claim to be financial advisors.
- None of the YouTube videos or links to popular domains redirect to any popular domains.
- The faces appearing on the websites are edited or the photos are unrelated and have been taken from other articles.
- There is no phone number or address of the company. Often, these scams are set up from abroad.
Indicators of Compromise
The table below provides a list of the IOCs relevant to our recent findings, which can also be found in our GitHub repository.10
| hxxps[:]//www[.]linkedin[.]com/in/rachelle-young-2928b63b/ | Fake LinkedIn profile |
| hxxps[:]//www[.]linkedin[.]com/in/claire-cameron-61a5b7235/ | Fake LinkedIn profile |
| hxxps[:]//www[.]linkedin[.]com/in/melanie-springer-450695235/ | Fake LinkedIn profile |
| 21cloudcoin[.]com | Fake “Meta” coin domain |
| 21cloudesk[.]com | Fake “Meta” coin domain |
| 21coincloud[.]com | Fake “Meta” coin domain |
| 365actioncoin[.]com | Fake “Meta” coin domain |
| 365amazementcoin[.]com | Fake “Meta” coin domain |
| 365amazingcoin[.]com | Fake “Meta” coin domain |
| 365amzcoin[.]com | Fake “Meta” coin domain |
| 365balancecoin[.]com | Fake “Meta” coin domain |
| 365basedcoin[.]com | Fake “Meta” coin domain |
| 365bestcoin[.]com | Fake “Meta” coin domain |
| 365blessedcoin[.]com | Fake “Meta” coin domain |
| 365brandcoin[.]com | Fake “Meta” coin domain |
| 365brandedcoin[.]com | Fake “Meta” coin domain |
| 365bravecoin[.]com | Fake “Meta” coin domain |
| 365buildcoin[.]com | Fake “Meta” coin domain |
| 365capcoin[.]com | Fake “Meta” coin domain |
| 365certaincoin[.]com | Fake “Meta” coin domain |
| 365codifycoin[.]com | Fake “Meta” coin domain |
| 365coinaction[.]com | Fake “Meta” coin domain |
| 365coinamazement[.]com | Fake “Meta” coin domain |
| 365coinamazing[.]com | Fake “Meta” coin domain |
| 365coinamz[.]com | Fake “Meta” coin domain |
| 365coinanswer[.]com | Fake “Meta” coin domain |
| 365coinapp[.]com | Fake “Meta” coin domain |
| 365coinbalance[.]com | Fake “Meta” coin domain |
| 365coinbased[.]com | Fake “Meta” coin domain |
| 365coinbest[.]com | Fake “Meta” coin domain |
| 365coinblessed[.]com | Fake “Meta” coin domain |
| 365coinbrand[.]com | Fake “Meta” coin domain |
| 365coinbranded[.]com | Fake “Meta” coin domain |
| 365coinbrave[.]com | Fake “Meta” coin domain |
| 365coinbuild[.]com | Fake “Meta” coin domain |
| 365coincap[.]com | Fake “Meta” coin domain |
| 365coincertain[.]com | Fake “Meta” coin domain |
| 365coincodify[.]com | Fake “Meta” coin domain |
| 365coincore[.]com | Fake “Meta” coin domain |
| 365coincurious[.]com | Fake “Meta” coin domain |
| 365coindeluxe[.]com | Fake “Meta” coin domain |
| 365coindemand[.]com | Fake “Meta” coin domain |
| 365coindesk[.]com | Fake “Meta” coin domain |
| 365coindomain[.]com | Fake “Meta” coin domain |
| 365coineg[.]com | Fake “Meta” coin domain |
| 365coinenormous[.]com | Fake “Meta” coin domain |
| 365coinexp[.]com | Fake “Meta” coin domain |
| 365coinextra[.]com | Fake “Meta” coin domain |
| 365coinfactory[.]com | Fake “Meta” coin domain |
| 365coinfascinating[.]com | Fake “Meta” coin domain |
| 365coinfeed[.]com | Fake “Meta” coin domain |
| 365coinfinance[.]com | Fake “Meta” coin domain |
| 365coinfresh[.]com | Fake “Meta” coin domain |
| 365coinfreshest[.]com | Fake “Meta” coin domain |
| 365coinfuture[.]com | Fake “Meta” coin domain |
| 365coinfuturistical[.]com | Fake “Meta” coin domain |
| 365coinglobe[.]com | Fake “Meta” coin domain |
| 365coingold[.]com | Fake “Meta” coin domain |
| 365coingrand[.]com | Fake “Meta” coin domain |
| 365coingrande[.]com | Fake “Meta” coin domain |
| 365coingreat[.]com | Fake “Meta” coin domain |
| 365coingreatest[.]com | Fake “Meta” coin domain |
| 365coinhub[.]com | Fake “Meta” coin domain |
| 365coinhuge[.]com | Fake “Meta” coin domain |
| 365coinideal[.]com | Fake “Meta” coin domain |
| 365coinimpact[.]com | Fake “Meta” coin domain |
| 365coinimprove[.]com | Fake “Meta” coin domain |
| 365coinimproving[.]com | Fake “Meta” coin domain |
| 365coininfluence[.]com | Fake “Meta” coin domain |
| 365coininvest[.]com | Fake “Meta” coin domain |
| 365coininvestment[.]com | Fake “Meta” coin domain |
| 365coinking[.]com | Fake “Meta” coin domain |
| 365coinlead[.]com | Fake “Meta” coin domain |
| 365coinllux[.]com | Fake “Meta” coin domain |
| 365coinlux[.]com | Fake “Meta” coin domain |
| 365coinluxury[.]com | Fake “Meta” coin domain |
| 365coinmaintain[.]com | Fake “Meta” coin domain |
| 365coinmark[.]com | Fake “Meta” coin domain |
| 365coinmarket[.]com | Fake “Meta” coin domain |
| 365coinmaster[.]com | Fake “Meta” coin domain |
| 365coinmax[.]com | Fake “Meta” coin domain |
| 365coinmeta[.]com | Fake “Meta” coin domain |
| 365coinmnp[.]com | Fake “Meta” coin domain |
| 365coinmode[.]com | Fake “Meta” coin domain |
| 365coinmulti[.]com | Fake “Meta” coin domain |
| 365coinplatin[.]com | Fake “Meta” coin domain |
| 365coinpowerful[.]com | Fake “Meta” coin domain |
| 365coinprecious[.]com | Fake “Meta” coin domain |
| 365coinpremise[.]com | Fake “Meta” coin domain |
| 365coinprestige[.]com | Fake “Meta” coin domain |
| 365coinprestigious[.]com | Fake “Meta” coin domain |
| 365coinpriceless[.]com | Fake “Meta” coin domain |
| 365coinpro[.]com | Fake “Meta” coin domain |
| 365coinproduct[.]com | Fake “Meta” coin domain |
| 365coinprofit[.]com | Fake “Meta” coin domain |
| 365coinpromise[.]com | Fake “Meta” coin domain |
| 365coinpropelling[.]com | Fake “Meta” coin domain |
| 365coinrise[.]com | Fake “Meta” coin domain |
| 365coinrising[.]com | Fake “Meta” coin domain |
| 365coinsafe[.]com | Fake “Meta” coin domain |
| 365coinsecured[.]com | Fake “Meta” coin domain |
| 365coinstack[.]com | Fake “Meta” coin domain |
| 365coinstandard[.]com | Fake “Meta” coin domain |
| 365coinsustain[.]com | Fake “Meta” coin domain |
| 365coinsustainable[.]com | Fake “Meta” coin domain |
| 365cointeam[.]com | Fake “Meta” coin domain |
| 365cointech[.]com | Fake “Meta” coin domain |
| 365cointecknet[.]com | Fake “Meta” coin domain |
| 365cointop[.]com | Fake “Meta” coin domain |
| 365cointp[.]com | Fake “Meta” coin domain |
| 365cointrading[.]com | Fake “Meta” coin domain |
| 365cointrend[.]com | Fake “Meta” coin domain |
| 365cointrendy[.]com | Fake “Meta” coin domain |
| 365cointsl[.]com | Fake “Meta” coin domain |
| 365coinunit[.]com | Fake “Meta” coin domain |
| 365coinunited[.]com | Fake “Meta” coin domain |
| 365coinuprise[.]com | Fake “Meta” coin domain |
| 365coinweb[.]com | Fake “Meta” coin domain |
| 365coinworld[.]com | Fake “Meta” coin domain |
| 365corecoin[.]com | Fake “Meta” coin domain |
| 365curiouscoin[.]com | Fake “Meta” coin domain |
| 365deluxecoin[.]com | Fake “Meta” coin domain |
| 365demandcoin[.]com | Fake “Meta” coin domain |
| 365desiredcoin[.]com | Fake “Meta” coin domain |
| 365deskcoin[.]com | Fake “Meta” coin domain |
| 365deskmarket[.]com | Fake “Meta” coin domain |
| 365domaincoin[.]com | Fake “Meta” coin domain |
| 365egcoin[.]com | Fake “Meta” coin domain |
| 365expcoin[.]com | Fake “Meta” coin domain |
| 365explorecoin[.]com | Fake “Meta” coin domain |
| 365expocoin[.]com | Fake “Meta” coin domain |
| 365extracoin[.]com | Fake “Meta” coin domain |
| 365factorycoin[.]com | Fake “Meta” coin domain |
| 365fascinatingcoin[.]com | Fake “Meta” coin domain |
| 365feedcoin[.]com | Fake “Meta” coin domain |
| 365freshcoin[.]com | Fake “Meta” coin domain |
| 365freshestcoin[.]com | Fake “Meta” coin domain |
| 365futurecoin[.]com | Fake “Meta” coin domain |
| 365globecoin[.]com | Fake “Meta” coin domain |
| 365goldcoin[.]com | Fake “Meta” coin domain |
| 365grandcoin[.]com | Fake “Meta” coin domain |
| 365grandecoin[.]com | Fake “Meta” coin domain |
| 365greatcoin[.]com | Fake “Meta” coin domain |
| 365greatestcoin[.]com | Fake “Meta” coin domain |
| 365hubcoin[.]com | Fake “Meta” coin domain |
| 365hugecoin[.]com | Fake “Meta” coin domain |
| 365ideacoin[.]com | Fake “Meta” coin domain |
| 365idealcoin[.]com | Fake “Meta” coin domain |
| 365impactcoin[.]com | Fake “Meta” coin domain |
| 365improvecoin[.]com | Fake “Meta” coin domain |
| 365improvingcoin[.]com | Fake “Meta” coin domain |
| 365influencecoin[.]com | Fake “Meta” coin domain |
| 365investmentcoin[.]com | Fake “Meta” coin domain |
| 365kingcoin[.]com | Fake “Meta” coin domain |
| 365leadcoin[.]com | Fake “Meta” coin domain |
| 365lluxcoin[.]com | Fake “Meta” coin domain |
| 365luxcoin[.]com | Fake “Meta” coin domain |
| 365maintaincoin[.]com | Fake “Meta” coin domain |
| 365markcoin[.]com | Fake “Meta” coin domain |
| 365marketcap[.]com | Fake “Meta” coin domain |
| 365marketcoin[.]com | Fake “Meta” coin domain |
| 365marketdesk[.]com | Fake “Meta” coin domain |
| 365mastercoin[.]com | Fake “Meta” coin domain |
| 365maxcoin[.]com | Fake “Meta” coin domain |
| 365mnpcoin[.]com | Fake “Meta” coin domain |
| 365modecoin[.]com | Fake “Meta” coin domain |
| 365motratcoin[.]com | Fake “Meta” coin domain |
| 365multicoin[.]com | Fake “Meta” coin domain |
| 365nowcoin[.]com | Fake “Meta” coin domain |
| 365platincap[.]com | Fake “Meta” coin domain |
| 365platincoin[.]com | Fake “Meta” coin domain |
| 365platindesk[.]com | Fake “Meta” coin domain |
| 365powercoin[.]com | Fake “Meta” coin domain |
| 365powerfulcoin[.]com | Fake “Meta” coin domain |
| 365preciouscoin[.]com | Fake “Meta” coin domain |
| 365premisecoin[.]com | Fake “Meta” coin domain |
| 365prestigecoin[.]com | Fake “Meta” coin domain |
| 365prestigiouscoin[.]com | Fake “Meta” coin domain |
| 365pricelesscoin[.]com | Fake “Meta” coin domain |
| 365procoin[.]com | Fake “Meta” coin domain |
| 365profitcoin[.]com | Fake “Meta” coin domain |
| 365profxmarket[.]com | Fake “Meta” coin domain |
| 365promisecoin[.]com | Fake “Meta” coin domain |
| 365propellingcoin[.]com | Fake “Meta” coin domain |
| 365prospectcoin[.]com | Fake “Meta” coin domain |
| 365prosperitycoin[.]com | Fake “Meta” coin domain |
| 365risecoin[.]com | Fake “Meta” coin domain |
| 365risingcoin[.]com | Fake “Meta” coin domain |
| 365safecoin[.]com | Fake “Meta” coin domain |
| 365securedcoin[.]com | Fake “Meta” coin domain |
| 365smartcoin[.]com | Fake “Meta” coin domain |
| 365stackcoin[.]com | Fake “Meta” coin domain |
| 365standardcoin[.]com | Fake “Meta” coin domain |
| 365sustainablecoin[.]com | Fake “Meta” coin domain |
| 365sustaincoin[.]com | Fake “Meta” coin domain |
| 365teamcoin[.]com | Fake “Meta” coin domain |
| 365techcoin[.]com | Fake “Meta” coin domain |
| 365tecknetcoin[.]com | Fake “Meta” coin domain |
| 365topcoin[.]com | Fake “Meta” coin domain |
| 365tpcoin[.]com | Fake “Meta” coin domain |
| 365tradecoin[.]com | Fake “Meta” coin domain |
| 365tradingcoin[.]com | Fake “Meta” coin domain |
| 365trendingcoin[.]com | Fake “Meta” coin domain |
| 365trendycoin[.]com | Fake “Meta” coin domain |
| 365tslcoin[.]com | Fake “Meta” coin domain |
| 365unitcoin[.]com | Fake “Meta” coin domain |
| 365unitedcoin[.]com | Fake “Meta” coin domain |
| 365uprisecoin[.]com | Fake “Meta” coin domain |
| 365webcoin[.]com | Fake “Meta” coin domain |
| 365worldcoin[.]com | Fake “Meta” coin domain |
Endnotes
- https://blog.confiant.com/fake-celebrity-endorsed-scam-abuses-ad-tech-to-net-1m-in-one-day-ffe330258e3c
- https://www.ftc.gov/news-events/data-visualizations/data-spotlight/2022/01/social-media-gold-mine-scammers-2021
- https://knowledge.insead.edu/marketing/why-facebook-rebranding-itself-meta#:~:text=Mark%20Zuckerberg%2C%20founder%20of%20Facebook,phase%20in%20the%20digital%20world.
- https://www.ibm.com/case-studies/inblock-blockchain-ibm
- https://www.facebook.com/SoulCircuitMusic/
- https://www.discogs.com/artist/3961188-SoulCircuit
- https://soundcloud.com/soulcircuitmusic
- https://www.santander.co.uk/about-santander/media-centre/press-releases/santander-warns-about-celebrity-endorsed-crypto-scams
- https://www.ellinikahoaxes.gr/2022/09/01/scam-metacoin-cryptocurrency/
- https://github.com/infobloxopen/threat-intelligence/tree/main/cta_indicators
