Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 博客

订阅

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Scammers target vulnerable Cash App users on Twitter and Instagram through fake requests, money flipping and mobile application referrals, while YouTube videos promote fake Cash App generators. Here’s what you need to know. 

Cash App, the popular person-to-person (P2P) payment service application from Square, has been steadily growing since its debut in late 2013. The service’s growth has been fuelled by a promotion marketing campaign offering cash giveaways to those who engage with the brand on various social media platforms. The success of these promotions, in turn, is emboldening an army of scammers who employ a variety of cons to separate social media users from their hard-warned cash.

A look at the numbers makes it easy to see why Cash App is such a promising target for scammers. According to an August 2019 MarketWatch article, Cash App received a whopping 2.4 million downloads in July 2019. The same article notes Cash App has been downloaded 59.8 million times since its 2013 launch, outpacing its biggest competitor, Venmo, which has been downloaded 52.7 million times. 

Music has played a role in fueling Cash App’s popularity, as 200 rap artists have namechecked the app in song lyrics and used the app to give money to fans, whether “just because,” as Lil B did, or as part of a giveaway promotion for scoring a number one album, as Travis Scott did.

Some consumer brands have also activated marketing campaigns using the service. For example, Burger King began its Whopper Loans promotion by teasing a giveaway using Cash App.

This two-part series details the practices I uncovered while researching these scammers from July to September 2019. This research is not meant to be a comprehensive overview of all such scams; rather it’s an analysis of behavioral trends among a group of scammers targeting the popularity and interest around one particular application. 

Here, in part one, I explore how Cash App’s soaring popularity is attracting opportunistic scammers and their methods of operation on Twitter and Instagram. In part two, I provide further details on the tactics used by Cash App scammers on Instagram, as well as examine videos hosted on YouTube, which claim to provide ways to earn “free money” and “hack” Cash App. In addition, I provide guidance and advice on how users of the P2P payment service can avoid being conned.  

#CashAppFriday and #SuperCashAppFriday Giveaways

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Since 2017, Square has been running a weekly giveaway to Cash App users under the hashtag #CashAppFriday and, in one instance, #CashAppWednesday. The premise is very simple: Cash App will post about the giveaway every Friday using #CashAppFriday or #SuperCashAppFriday on Instagram and Twitter, and users can enter the giveaway by sharing to their story, retweeting or replying to the posts with their $cashtag, a unique ID for users and businesses to make it easier to send and receive money. The company randomly selects winners and deposits an unspecified amount of money into their Cash App accounts. More recently, the company launched another giveaway called #SuperCashAppFriday, offering total prizes from $10,000 to $75,000, depositing anywhere between $100 to $500 into Cash App user accounts.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Needless to say, #CashAppFriday has been extremely popular. Each week, it is one of the top trends on Twitter, receiving thousands of tweets during each event.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

On Instagram, a recent Cash App giveaway of $75,000 resulted in Instagram limiting comments on the post, showcasing just how popular these Cash App giveaways are.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Unsurprisingly, Cash App’s legitimate giveaways are a breeding ground for scammers.

Seeding #CashAppFriday Scams

The most obvious place to find Cash App scammers is in the replies to Square’s Cash App social media accounts on Twitter and Instagram during #CashAppFriday and #SuperCashAppFriday.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Cash App scammers tend to post some variation of the same theme: Giving away “X” amount of dollars to the first “Y” number of users to retweet this tweet. They’ll also ask users to reply with and/or send them a Direct Message (DM) with their $cashtags.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

However, not all Cash App scammers reply directly to @CashApp on Twitter. Instead, they’ll “ride the hashtag” because Cash App’s hashtags always trend on Twitter.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In the course of my research, I’ve also encountered some Cash App scammers not using any of the Cash App hashtags whatsoever. These typically involve the same promise of a giveaway to the first X number of users who retweet and include their “cashapp name” ($cashtag).

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Check The Replies

In the tweets from Cash App scammers, you’ll often find a sea of $cashtags from users in the replies, similar to what you’d find in the replies to the real @CashApp Twitter account. Interspersed through these replies, you’ll see the Cash App scammer replying with “Dm me” messages to potential victims.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Interestingly enough, some of the Cash App scammers use their other scam accounts to foster fake engagement by liking, retweeting or replying in an effort to create a sense of legitimacy around their scams.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Case in point: A Cash App scam account named “Eva” tweeted out a giveaway to the “first 900” people. In the replies to Eva, three separate Cash App scam accounts responded claiming the offer is legitimate, even including screenshots from Cash App to support their claims. A few red flags are presented here.

First, the screenshots include dollar values less than or greater than the offered amount of $900. Second, the screenshots are from the perspective of the scammer, which is unusual. This is because it says a dollar amount “was instantly deposited to your bank account,” which means money was transferred from Cash App to a bank account, not to a Cash App user. It is unusual because most of the Cash App scammers I’ve observed tend to post screenshots with examples of money being sent to unidentified users.

Finally, and most importantly, look closely at the dollar amount being offered and the number of users eligible for the giveaway. In this case, it is $900 for 900 users, which equals $810,000. When Cash App itself does giveaways, it normally offers a more modest sum of money — as low as $5 per person in some cases. Even in promotions where the giveaway amounts are higher — such as a #SuperCashAppFriday — the offer would never exceed $10,000-$75,000 in total. The math just doesn’t add up, and in most Cash App scam giveaways, it never will.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

There are even some instances where different Cash App scammers will encroach on the territory of other Cash App scammers, as seen in the screenshot above. 

In addition to seeing such screenshots of Cash App transactions, I’ve also seen some Cash App scammers favorite and retweet videos and images of people holding large sums of cash, claiming they received them from the Cash App scammer. While not confirmed, I suspect these accounts are also owned and operated by the scammers.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Cash Flipping: A Timeless Con

Behind these so-called Cash App scam giveaways, there’s a timeless con at work. It is illustrated in an Abbott and Costello skit, called “Two Tens for a Five,” which begins with an unsuspecting Costello being asked by Abbott if he can exchange two $10 bills for his $5 bill, resulting in a $15 profit for Abbott and a $15 loss for Costello.

In the case of Cash App scams, they follow the blueprint of what’s called money (or cash) flipping. The victims are asked by the scammers to put up a certain amount of money, which can range from as little as $10 to as much as $1,000. The scammers claim they can modify (or “flip”) the transaction after it’s been posted because they have some “software” or because they are a customer service representative, allowing them to change the value in whatever payment service they use (in this case, Cash App). All they ask is that the victim provides them with a small cut for their “services.”

Money flipping isn’t new to social media; it’s been pervasive on Twitter, Facebook, Instagram and Snapchat for years. What makes this particular form of money flipping so nefarious and successful is that it capitalizes on a legitimate giveaway proposition from a reputed company — Square and its Cash App product — and then victimizes people who are hoping to be selected in this legitimate giveaway. In a perverse indicator of their success, it seems the legitimate Cash App giveaways are fueling other money flipping scammers to switch over to Cash App as their product of choice.

It Goes Down In The DM 

When users are asked to DM these Cash App scammers, they’ll be told that there’s one more required step before they receive the giveaway prize.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

The Cash App scammers claim to be “customer service representatives” at Cash App and talk about how they can “flip transactions from my system.” They then talk about example dollar amounts that can be flipped to higher amounts, starting at the lower end (e.g. $50), all the way up to a larger amount (e.g. $100). They also claim they have proof. If pressed with further questions, the scammers will stop responding.

If a user agrees to the con, they’ll be asked to send the initial payment to the Cash App scammer. The reality is that the Cash App scammer will receive the payment and never respond back to the user after they’ve received the initial payment, leaving the user out in the cold. However, I speculate that in some instances, certain Cash App scammers may offer a smaller “flip” in order to gain the trust of the user first. For example, they may actually deliver on a promise to turn $2 into $20 to prove the “flip” works. It is a minimal investment from the Cash App scammer’s perspective in order to earn the trust of the victim. From there, the scammer will ask the user to try sending them a higher dollar amount, from $50 to $100. This type of trust-gaining flip is likely fairly rare; in my estimation, the majority of users will send a certain dollar amount to the Cash App scammer, never to hear from them again.

Gift Card Scammers Find New Home in Cash App Giveaways

In other cases I’ve observed, some Cash App scammers will ask the recipient to gain their trust by asking them to go to a website or a brick-and-mortar store and purchase a prepaid “gift” card.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In a 2018 article from the United States Federal Trade Commission (FTC), the agency observed a staggering 270 percent increase in the demand for gift card payments from scammers since 2015. Therefore, it is not surprising to see remnants of this trickle into the world of Cash App scams, because it’s a lot harder to trace back theft of funds from a gift card than it is to identify a Cash App scammer using the platform with an associated $cashtag and telephone number.

Abuse of Referral Bonuses

Besides gift cards, another Cash App scam involves the promise of a “blessing” in exchange for the user signing up to cashback services, like Dosh Cash, and price drop monitoring service Waldo, neither of which is  affiliated with Square’s Cash App.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Dosh Cash and Waldo incentivize referrals, offering $5 per referral for users who sign up using a referral link or code and link a credit or debit card. As seen in the tweets above, one Cash App scammer convinced a user to sign up to both services. In the DMs, you’ll see this user say “I did my part you need to do yours” and “You told me to do that with the last link and you still didn’t cash app me.” The Cash App scammer this person has engaged with has been operating this particular scheme since at least 2018.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Incoming Requests from Cash App Scammers

Typically on #CashAppFriday, Cash App will randomly send money to users replying to its tweets or Instagram posts. Users lucky enough to be recipients of a real “Cash App Blessing” will sometimes share screenshots and thank the company.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

The screenshot above shows a genuine interaction from a user who actually received $5 from the real Cash App account. You can tell the requests are coming from the real Cash App account because the $cashtag here is $cashapp.

Still, that hasn’t stopped Cash App scammers from impersonating the company. Instead of sending money to unsuspecting users, the Cash App scammers will use the “request” functionality of Cash App to ask users for money for “verification” purposes.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In the example above, a user initially thought they’d received a “blessing,” but instead were asked to send $10 for “verification” in order to receive $500. The Cash App scammer in this instance used the same profile photo as the real Cash App, but did not have the same name.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In another instance, a Cash App scammer used the same “request” functionality, but their account had a different profile image and the name included a space between the “C” and “ash” in the word Cash. Cash App prevents users from assigning “Cash App” to their Full Name in an effort to squelch name impersonation. Yet, that clearly hasn’t stopped scammers from finding workarounds.

Impersonation Persists in Cash App Scams

I’ve previously reported on the phenomenon of impersonation on social media apps like TikTok. So it’s no surprise to see scammers are using impersonation tactics in Cash App scams in a few ways. The most obvious impersonators in Cash App scams are those posing as the real Cash App or claiming to be customer service representatives at Cash App.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Some impersonation accounts use official image assets from Cash App. Others use assets that are similar, but not exactly the same.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

The other interesting aspect of the impersonator above is their claim to also accept payments via Apple Pay, which includes a screenshot of an Apple Cash card with over $2,000 on it. Apple Cash is Apple’s own P2P product designed to compete with Venmo and Cash App

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Some impersonators claiming to be Cash App representatives use photos of real people. In the case above, this impersonator calls themselves Nickoli Foxworth. In actuality, Nickoli is using a photo of a Czechoslovakian entrepreneur named Pavol Krúpa.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

No impersonation would be complete if Cash App scammers didn’t impersonate Twitter and Square CEO Jack Dorsey.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

This same Jack Dorsey impersonator on Twitter was also operating their scam on Instagram, where they had gained nearly 3,000 followers. The impersonator claimed they were “hacked” at 16,000 followers, but it is more likely that Instagram removed their previous impersonation page.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Outside of so-called “Cash App Representatives” and Jack Dorsey impersonations, many of the Cash App scammers are likely using stolen photographs and images of real people to create their accounts.

For instance, one Cash App scammer was using photographs and impersonating an Instagram model named Valentina Adall.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

The Cash App scammer, who had 12,000 followers, would post offers for #CashAppFriday. When users would DM them, they’d be given the same spiel about being able to alter transactions into a “larger amount” on Cash App or Apple Pay.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In this instance, the Cash App scammer is asking for $300 right off the bat, which is a lot more than most Cash App scammers ask for initially.

Valentina Adall does have a Twitter account and she specifies in her bio that it is her “ONLY account,” which implies she’s been impersonated on Twitter before.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

She was made aware of the Cash App scammer’s impersonation account, sarcastically retweeting one of their tweets saying they look alike and “could be twins.”

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Not all impersonations are direct impersonations. I’ve observed a Cash App scam account using photos and video content from Hollywood Dollz member Famous Ocean, but calling themselves “Essence.”

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

For example, the avatar image used by the Cash App scammer called “Essence” was taken from Famous Ocean’s Instagram page.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In another example, a Cash App scammer calling themselves Patrick Bowker claimed to be “blessing those in need via cashapp.”

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In this case, Patrick Bowker is using an image of ex-Google CEO and Chairman Eric Schmidt.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Outside of #CashAppFriday, Cash App scammers also target giveaways not directly affiliated with Cash App but which happen to utilize Cash App as a platform to send money. Alfredo Villa, a popular YouTuber who goes by the name “Prettyboyfredo,” runs Cash App giveaways on his Twitter account for his nearly 400,000 Twitter followers. 

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

When people see these giveaways, they instantly respond with their $cashtags. Responding with $cashtags provides scammers with the information they need to target these unsuspecting users.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

A Cash App user tweeted at @Prettyboyfredo, asking him about the giveaway and posting a screenshot of a Cash App request for $20 they received. The message said “congrats you won verify real account to get $1,000.” This is similar to the fake Cash App accounts sending incoming requests that I noted earlier.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

These unaffiliated Cash App giveaways appear to be a successful endeavor, as evidenced in the image above. So even if the Cash App scammers aren’t creating impersonation Twitter accounts, they have found it much easier to simply create an impersonation account through Cash App.

Outside of direct impersonations of the Cash App brand, its CEO and notable figures, I believe it is safe to assume the majority of Cash App scammers are using stolen images and video content to create fake personas.

Cash App Phishing

During my research, I also encountered attempts at phishing Cash App users. A user named @dropyourcashtag was riding the #CashAppFriday hashtag, DMing users about winning the giveaway, sending the payment along with a link to a website, saying  “go on and receive it.”

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Unlike most apps and services, Cash App does not ask for a password. Instead, it asks for an email address or phone number as the username, which triggers a request for a one-time use “login code,” also known as a one-time password (OTP). The code is delivered to the user’s email address or mobile phone, as seen in the image below.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Therefore, Cash App phishing websites will look different from a normal phishing website.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

In the example above, the Cash App phishing website prefaces that the cashtag “$cash” (which isn’t affiliated with Cash App) has “initiated deposit of $1000 to your Cashapp.” 

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

The Cash App phishing website uses a valid Secure Sockets Layer (SSL) certificate obtained from Let’s Encrypt and asks for an email or mobile number. It is followed by a second screen, which asks the user to provide their OTP. Inputting an invalid OTP results in an error message, which implies there may be some type of verification happening to ensure the user provides their valid OTP. To safeguard my privacy during this research, I did not provide my OTP.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

However, I did observe a Twitter user who proceeded to provide their information to one of these Cash App phishing websites and reached a fake webpage saying “Payment Failed.” The error message would likely trick the user into believing there was merely a technical problem in sending the so-called giveaway payment, rather than a scam.

I was able to identify at least two Cash App phishing links, both of which used the Bitly URL shortening service. Statistics from those two links showed they each received over 500 clicks, mostly from users in the United States with a few clicks from the United Kingdom, Nigeria, Philippines, Australia and Guatemala. While Cash App is available outside the United States, the giveaways for #SuperCashAppFriday and #CashAppFriday are limited to U.S. participants.

现金应用程序欺诈:合法的赠品助长了机会主义欺诈者的气焰

Tenable notified Cash App about our research findings prior to publication. A spokesperson for Cash App provided us with the following statement:

"We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (eg: use our name or logo without permission) or seek to take advantage of our customers.

As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately." 

In part two of this series, I provide details on how Cash App scammers similarly operate on Instagram and explore how scammers are creating YouTube videos claiming to offer ways to earn free money through Cash App by downloading apps. Part two also includes tips and best practices to help users avoid falling for these schemes.

相关文章

您可加以利用的网络安全新闻

输入您的电子邮件,绝不要错过 Tenable 专家的及时提醒和安全指导。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。

Tenable Vulnerability Management 试用版还包含 Tenable Lumin 和 Tenable Web App Scanning。

Tenable Vulnerability Management

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

100 项资产

选择您的订阅选项:

立即购买

试用 Tenable Web App Scanning

您可以通过 Tenable One 风险暴露管理平台完全访问我们专为现代应用程序量身打造的最新 Web 应用程序扫描产品。可安全扫描全部在线资产组合的漏洞,具有高度准确性,而且无需繁重的手动操作或中断关键的 Web 应用程序。立即注册。

Tenable Web App Scanning 试用版还包含 Tenable Vulnerability Management 和 Tenable Lumin。

购买 Tenable Web App Scanning

可全面访问基于云的现代化漏洞管理平台,从而以无可比拟的精确度发现并追踪所有资产。 立即购买年度订阅。

5 个 FQDN

$3,578

立即购买

试用 Tenable Lumin

使用 Tenable Lumin 直观呈现及探索您的风险暴露管理,长期追踪风险降低状况,并比照同行业者进行基准衡量。

Tenable Lumin 试用版还包括 Tenable Vulnerability Management 和 Tenable Web App Scanning。

购买 Tenable Lumin

联系销售代表,了解 Tenable Lumin 如何帮助您获取整个企业的洞见并管理网络安全风险。

免费试用 Tenable Nessus Professional

免费试用 7 天

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。

新 - Tenable Nessus Expert
不可用

Nessus Expert 添加了更多功能,包括外部攻击面扫描,以及添加域和扫描云基础设施的功能。单击此处试用 Nessus Expert。

填写下面的表格可继续试用 Nessus Pro。

购买 Tenable Nessus Professional

Tenable Nessus 是当今市场上功能最全面的漏洞扫描器。Tenable Nessus Professional 可帮助自动化漏洞扫描流程、节省合规周期的时间,并调动起 IT 团队的积极性。

购买多年期许可,即享优惠价格添加高级支持功能,获取一年 365 天、一天 24 小时的电话、社区和聊天支持。

选择您的许可证

购买多年期许可,即享优惠价格

添加支持和培训

免费试用 Tenable Nessus Expert

免费试用 7 天

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

已经有 Tenable Nessus Professional?
升级到 Nessus Expert,免费试用 7 天。

购买 Tenable Nessus Expert

Nessus Expert 针对现代攻击面而量身打造,可以查看更多信息,保护企业免遭从 IT 到云中漏洞的攻击。

选择您的许可证

购买多年许可证,节省幅度更大。

添加支持和培训