Full Report
Cybersecurity researchers are calling attention to a new kind of investment scam that leverages a combination of social media malvertising, company-branded posts, and artificial intelligence (AI) powered video testimonials featuring famous personalities, ultimately leading to financial and data loss. "The main goal of the fraudsters is to lead victims to phishing websites and forms that harvest
Analysis Summary
# Incident Report: Nomani Pig Butchering Cryptocurrency Investment Scam
## Executive Summary
The "Nomani" campaign is an aggressive, growing investment scam leveraging social media malvertising, AI-generated testimonials of famous personalities, and sophisticated social engineering (including Europol/INTERPOL lures) to direct victims to cryptocurrency phishing websites. The primary goal is the theft of personal and financial data, followed by direct financial manipulation through follow-up calls, culminating in typical 'pig butchering' outcomes where victims lose all funds after being coerced into paying fake fees.
## Incident Details
- Discovery Date: H2 2024 (as tracked by ESET)
- Incident Date: Active throughout H2 2024, with over 100 new URLs detected daily between May and November 2024.
- Affected Organization: Unspecified victims globally.
- Sector: Financial Services (Cryptocurrency/Investment)
- Geography: Global, with signs of Russian-speaking threat actors (indicated by Cyrillic comments).
## Timeline of Events
### Initial Access
- Date/Time: Ongoing throughout H2 2024.
- Vector: Fraudulent advertisements (malvertising) published on social media platforms (e.g., Meta platforms).
- Details: Ads were pushed from a mix of fake and stolen legitimate profiles associated with small businesses, governmental entities, and micro-influencers. Distribution also occurred via Messenger, Threads, and deceptive positive Google reviews. A secondary lure involved promising victims of prior scams refunds via Europol/INTERPOL contact information.
### Lateral Movement
*Not applicable in the typical sense; movement was focused on moving the victim from social media to the attacker-controlled phishing infrastructure.*
### Data Exfiltration/Impact
- Date/Time: Post-phishing engagement, via direct phone calls.
- Details: After obtaining contact information, cybercriminals directly called victims. They manipulated them into investing in non-existent products, leading to financial loss. Victims were further coerced into taking out loans or installing remote access applications. Final data extraction involved compelling victims to provide ID and credit card information under the guise of paying fake withdrawal fees.
### Detection & Response
- Detection: Tracked and reported by ESET in their H2 2024 Threat Report.
- Response: ESET monitoring and industry discussion/alerting regarding the 335% campaign growth. (Note: No specific organizational response data is provided as this summary details a broad campaign tracked by a vendor).
## Attack Methodology
- Initial Access: Social Media Malvertising (Fake/Stolen Profiles), SEO gaming (deceptive Google reviews).
- Persistence: Maintaining contact via direct phone calls post-phishing, securing remote access applications.
- Privilege Escalation: Not applicable (Financial fraud, not network breach); social engineering used to escalate financial trust.
- Defense Evasion: Exploitation of trust mechanisms via high-profile social engineering (famous people testimonials, official-looking branding).
- Credential Access: Harvesting of contact details, ID information, and credit card details via phishing forms.
- Discovery: Use of Yandex tools for visitor tracking on fraudulent sites.
- Lateral Movement: N/A (Focus on victim interaction flow).
- Collection: Gathering personal identification details and financial instruments.
- Exfiltration: Direct collection of funds through forced investments and fees (Pig Butchering model).
- Impact: Financial loss and data compromise.
## Impact Assessment
- Financial: Direct loss of victims' invested money, potential loan amounts, and fees paid.
- Data Breach: Personal information, ID details, and credit card information stolen.
- Operational: Direct operational impact is on the victims, not on a specific targeted organization's network.
- Reputational: Damage to the reputation of targeted influencers/organizations whose identities were impersonated for the scam ads.
## Indicators of Compromise
- Network Indicators: Over 100 newly registered URLs detected daily crafting local media imitation sites.
- File Indicators: Not explicitly listed, but implied installation of remote access applications on victim devices.
- Behavioral Indicators: Victims being coerced into contacting "Europol/INTERPOL" for recovery assistance; investment into platforms using names like Quantum Bumex, Immediate Mator, or Bitcoin Trader.
## Response Actions
- Containment: Ongoing campaigns tracked by ESET and researchers.
- Eradication: Not fully detailed but removal of malicious ads and domains appears necessary.
- Recovery: Victims are likely required to engage financial institutions regarding lost funds and identity theft.
## Lessons Learned
- Social engineering combined with AI-generated content (video testimonials) is highly effective at circumventing user caution regarding online investments.
- Scammers are evolving tactics to target victims of previous scams (using Europol/INTERPOL lures) for immediate secondary exploitation.
- The operational structure likely involves specialized teams for ad creation, phishing infrastructure, and high-touch call centers, similar to established large-scale fraud operations.
## Recommendations
- Implement strong brand monitoring across social media platforms to detect and report impersonation early.
- Enhance user education regarding official communications versus unsolicited investment opportunities advertised via social media malvertising.
- Financial institutions should be aware of rapid, high-pressure investment requests or demands for fees to release "profits."
- Security solutions should focus on behavioral detection for social engineering calls, especially involving remote access application installation requests.