Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Scammers target vulnerable Cash App users on Twitter and Instagram through fake requests, money flipping and mobile application referrals, while YouTube videos promote fake Cash App generators. Here’s what you need to know. 

Cash App, the popular person-to-person (P2P) payment service application from Square, has been steadily growing since its debut in late 2013. The service’s growth has been fuelled by a promotion marketing campaign offering cash giveaways to those who engage with the brand on various social media platforms. The success of these promotions, in turn, is emboldening an army of scammers who employ a variety of cons to separate social media users from their hard-warned cash.

A look at the numbers makes it easy to see why Cash App is such a promising target for scammers. According to an August 2019 MarketWatch article, Cash App received a whopping 2.4 million downloads in July 2019. The same article notes Cash App has been downloaded 59.8 million times since its 2013 launch, outpacing its biggest competitor, Venmo, which has been downloaded 52.7 million times. 

Music has played a role in fueling Cash App’s popularity, as 200 rap artists have namechecked the app in song lyrics and used the app to give money to fans, whether “just because,” as Lil B did, or as part of a giveaway promotion for scoring a number one album, as Travis Scott did.

Some consumer brands have also activated marketing campaigns using the service. For example, Burger King began its Whopper Loans promotion by teasing a giveaway using Cash App.

This two-part series details the practices I uncovered while researching these scammers from July to September 2019. This research is not meant to be a comprehensive overview of all such scams; rather it’s an analysis of behavioral trends among a group of scammers targeting the popularity and interest around one particular application. 

Here, in part one, I explore how Cash App’s soaring popularity is attracting opportunistic scammers and their methods of operation on Twitter and Instagram. In part two, I provide further details on the tactics used by Cash App scammers on Instagram, as well as examine videos hosted on YouTube, which claim to provide ways to earn “free money” and “hack” Cash App. In addition, I provide guidance and advice on how users of the P2P payment service can avoid being conned.  

#CashAppFriday and #SuperCashAppFriday Giveaways

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Since 2017, Square has been running a weekly giveaway to Cash App users under the hashtag #CashAppFriday and, in one instance, #CashAppWednesday. The premise is very simple: Cash App will post about the giveaway every Friday using #CashAppFriday or #SuperCashAppFriday on Instagram and Twitter, and users can enter the giveaway by sharing to their story, retweeting or replying to the posts with their $cashtag, a unique ID for users and businesses to make it easier to send and receive money. The company randomly selects winners and deposits an unspecified amount of money into their Cash App accounts. More recently, the company launched another giveaway called #SuperCashAppFriday, offering total prizes from $10,000 to $75,000, depositing anywhere between $100 to $500 into Cash App user accounts.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Needless to say, #CashAppFriday has been extremely popular. Each week, it is one of the top trends on Twitter, receiving thousands of tweets during each event.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

On Instagram, a recent Cash App giveaway of $75,000 resulted in Instagram limiting comments on the post, showcasing just how popular these Cash App giveaways are.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Unsurprisingly, Cash App’s legitimate giveaways are a breeding ground for scammers.

Seeding #CashAppFriday Scams

The most obvious place to find Cash App scammers is in the replies to Square’s Cash App social media accounts on Twitter and Instagram during #CashAppFriday and #SuperCashAppFriday.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Cash App scammers tend to post some variation of the same theme: Giving away “X” amount of dollars to the first “Y” number of users to retweet this tweet. They’ll also ask users to reply with and/or send them a Direct Message (DM) with their $cashtags.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

However, not all Cash App scammers reply directly to @CashApp on Twitter. Instead, they’ll “ride the hashtag” because Cash App’s hashtags always trend on Twitter.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In the course of my research, I’ve also encountered some Cash App scammers not using any of the Cash App hashtags whatsoever. These typically involve the same promise of a giveaway to the first X number of users who retweet and include their “cashapp name” ($cashtag).

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Check The Replies

In the tweets from Cash App scammers, you’ll often find a sea of $cashtags from users in the replies, similar to what you’d find in the replies to the real @CashApp Twitter account. Interspersed through these replies, you’ll see the Cash App scammer replying with “Dm me” messages to potential victims.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Interestingly enough, some of the Cash App scammers use their other scam accounts to foster fake engagement by liking, retweeting or replying in an effort to create a sense of legitimacy around their scams.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Case in point: A Cash App scam account named “Eva” tweeted out a giveaway to the “first 900” people. In the replies to Eva, three separate Cash App scam accounts responded claiming the offer is legitimate, even including screenshots from Cash App to support their claims. A few red flags are presented here.

First, the screenshots include dollar values less than or greater than the offered amount of $900. Second, the screenshots are from the perspective of the scammer, which is unusual. This is because it says a dollar amount “was instantly deposited to your bank account,” which means money was transferred from Cash App to a bank account, not to a Cash App user. It is unusual because most of the Cash App scammers I’ve observed tend to post screenshots with examples of money being sent to unidentified users.

Finally, and most importantly, look closely at the dollar amount being offered and the number of users eligible for the giveaway. In this case, it is $900 for 900 users, which equals $810,000. When Cash App itself does giveaways, it normally offers a more modest sum of money — as low as $5 per person in some cases. Even in promotions where the giveaway amounts are higher — such as a #SuperCashAppFriday — the offer would never exceed $10,000-$75,000 in total. The math just doesn’t add up, and in most Cash App scam giveaways, it never will.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

There are even some instances where different Cash App scammers will encroach on the territory of other Cash App scammers, as seen in the screenshot above. 

In addition to seeing such screenshots of Cash App transactions, I’ve also seen some Cash App scammers favorite and retweet videos and images of people holding large sums of cash, claiming they received them from the Cash App scammer. While not confirmed, I suspect these accounts are also owned and operated by the scammers.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Cash Flipping: A Timeless Con

Behind these so-called Cash App scam giveaways, there’s a timeless con at work. It is illustrated in an Abbott and Costello skit, called “Two Tens for a Five,” which begins with an unsuspecting Costello being asked by Abbott if he can exchange two $10 bills for his $5 bill, resulting in a $15 profit for Abbott and a $15 loss for Costello.

In the case of Cash App scams, they follow the blueprint of what’s called money (or cash) flipping. The victims are asked by the scammers to put up a certain amount of money, which can range from as little as $10 to as much as $1,000. The scammers claim they can modify (or “flip”) the transaction after it’s been posted because they have some “software” or because they are a customer service representative, allowing them to change the value in whatever payment service they use (in this case, Cash App). All they ask is that the victim provides them with a small cut for their “services.”

Money flipping isn’t new to social media; it’s been pervasive on Twitter, Facebook, Instagram and Snapchat for years. What makes this particular form of money flipping so nefarious and successful is that it capitalizes on a legitimate giveaway proposition from a reputed company — Square and its Cash App product — and then victimizes people who are hoping to be selected in this legitimate giveaway. In a perverse indicator of their success, it seems the legitimate Cash App giveaways are fueling other money flipping scammers to switch over to Cash App as their product of choice.

It Goes Down In The DM 

When users are asked to DM these Cash App scammers, they’ll be told that there’s one more required step before they receive the giveaway prize.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

The Cash App scammers claim to be “customer service representatives” at Cash App and talk about how they can “flip transactions from my system.” They then talk about example dollar amounts that can be flipped to higher amounts, starting at the lower end (e.g. $50), all the way up to a larger amount (e.g. $100). They also claim they have proof. If pressed with further questions, the scammers will stop responding.

If a user agrees to the con, they’ll be asked to send the initial payment to the Cash App scammer. The reality is that the Cash App scammer will receive the payment and never respond back to the user after they’ve received the initial payment, leaving the user out in the cold. However, I speculate that in some instances, certain Cash App scammers may offer a smaller “flip” in order to gain the trust of the user first. For example, they may actually deliver on a promise to turn $2 into $20 to prove the “flip” works. It is a minimal investment from the Cash App scammer’s perspective in order to earn the trust of the victim. From there, the scammer will ask the user to try sending them a higher dollar amount, from $50 to $100. This type of trust-gaining flip is likely fairly rare; in my estimation, the majority of users will send a certain dollar amount to the Cash App scammer, never to hear from them again.

Gift Card Scammers Find New Home in Cash App Giveaways

In other cases I’ve observed, some Cash App scammers will ask the recipient to gain their trust by asking them to go to a website or a brick-and-mortar store and purchase a prepaid “gift” card.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In a 2018 article from the United States Federal Trade Commission (FTC), the agency observed a staggering 270 percent increase in the demand for gift card payments from scammers since 2015. Therefore, it is not surprising to see remnants of this trickle into the world of Cash App scams, because it’s a lot harder to trace back theft of funds from a gift card than it is to identify a Cash App scammer using the platform with an associated $cashtag and telephone number.

Abuse of Referral Bonuses

Besides gift cards, another Cash App scam involves the promise of a “blessing” in exchange for the user signing up to cashback services, like Dosh Cash, and price drop monitoring service Waldo, neither of which is  affiliated with Square’s Cash App.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Dosh Cash and Waldo incentivize referrals, offering $5 per referral for users who sign up using a referral link or code and link a credit or debit card. As seen in the tweets above, one Cash App scammer convinced a user to sign up to both services. In the DMs, you’ll see this user say “I did my part you need to do yours” and “You told me to do that with the last link and you still didn’t cash app me.” The Cash App scammer this person has engaged with has been operating this particular scheme since at least 2018.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Incoming Requests from Cash App Scammers

Typically on #CashAppFriday, Cash App will randomly send money to users replying to its tweets or Instagram posts. Users lucky enough to be recipients of a real “Cash App Blessing” will sometimes share screenshots and thank the company.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

The screenshot above shows a genuine interaction from a user who actually received $5 from the real Cash App account. You can tell the requests are coming from the real Cash App account because the $cashtag here is $cashapp.

Still, that hasn’t stopped Cash App scammers from impersonating the company. Instead of sending money to unsuspecting users, the Cash App scammers will use the “request” functionality of Cash App to ask users for money for “verification” purposes.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In the example above, a user initially thought they’d received a “blessing,” but instead were asked to send $10 for “verification” in order to receive $500. The Cash App scammer in this instance used the same profile photo as the real Cash App, but did not have the same name.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In another instance, a Cash App scammer used the same “request” functionality, but their account had a different profile image and the name included a space between the “C” and “ash” in the word Cash. Cash App prevents users from assigning “Cash App” to their Full Name in an effort to squelch name impersonation. Yet, that clearly hasn’t stopped scammers from finding workarounds.

Impersonation Persists in Cash App Scams

I’ve previously reported on the phenomenon of impersonation on social media apps like TikTok. So it’s no surprise to see scammers are using impersonation tactics in Cash App scams in a few ways. The most obvious impersonators in Cash App scams are those posing as the real Cash App or claiming to be customer service representatives at Cash App.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Some impersonation accounts use official image assets from Cash App. Others use assets that are similar, but not exactly the same.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

The other interesting aspect of the impersonator above is their claim to also accept payments via Apple Pay, which includes a screenshot of an Apple Cash card with over $2,000 on it. Apple Cash is Apple’s own P2P product designed to compete with Venmo and Cash App

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Some impersonators claiming to be Cash App representatives use photos of real people. In the case above, this impersonator calls themselves Nickoli Foxworth. In actuality, Nickoli is using a photo of a Czechoslovakian entrepreneur named Pavol Krúpa.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

No impersonation would be complete if Cash App scammers didn’t impersonate Twitter and Square CEO Jack Dorsey.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

This same Jack Dorsey impersonator on Twitter was also operating their scam on Instagram, where they had gained nearly 3,000 followers. The impersonator claimed they were “hacked” at 16,000 followers, but it is more likely that Instagram removed their previous impersonation page.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Outside of so-called “Cash App Representatives” and Jack Dorsey impersonations, many of the Cash App scammers are likely using stolen photographs and images of real people to create their accounts.

For instance, one Cash App scammer was using photographs and impersonating an Instagram model named Valentina Adall.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

The Cash App scammer, who had 12,000 followers, would post offers for #CashAppFriday. When users would DM them, they’d be given the same spiel about being able to alter transactions into a “larger amount” on Cash App or Apple Pay.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In this instance, the Cash App scammer is asking for $300 right off the bat, which is a lot more than most Cash App scammers ask for initially.

Valentina Adall does have a Twitter account and she specifies in her bio that it is her “ONLY account,” which implies she’s been impersonated on Twitter before.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

She was made aware of the Cash App scammer’s impersonation account, sarcastically retweeting one of their tweets saying they look alike and “could be twins.”

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Not all impersonations are direct impersonations. I’ve observed a Cash App scam account using photos and video content from Hollywood Dollz member Famous Ocean, but calling themselves “Essence.”

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

For example, the avatar image used by the Cash App scammer called “Essence” was taken from Famous Ocean’s Instagram page.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In another example, a Cash App scammer calling themselves Patrick Bowker claimed to be “blessing those in need via cashapp.”

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In this case, Patrick Bowker is using an image of ex-Google CEO and Chairman Eric Schmidt.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Outside of #CashAppFriday, Cash App scammers also target giveaways not directly affiliated with Cash App but which happen to utilize Cash App as a platform to send money. Alfredo Villa, a popular YouTuber who goes by the name “Prettyboyfredo,” runs Cash App giveaways on his Twitter account for his nearly 400,000 Twitter followers. 

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

When people see these giveaways, they instantly respond with their $cashtags. Responding with $cashtags provides scammers with the information they need to target these unsuspecting users.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

A Cash App user tweeted at @Prettyboyfredo, asking him about the giveaway and posting a screenshot of a Cash App request for $20 they received. The message said “congrats you won verify real account to get $1,000.” This is similar to the fake Cash App accounts sending incoming requests that I noted earlier.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

These unaffiliated Cash App giveaways appear to be a successful endeavor, as evidenced in the image above. So even if the Cash App scammers aren’t creating impersonation Twitter accounts, they have found it much easier to simply create an impersonation account through Cash App.

Outside of direct impersonations of the Cash App brand, its CEO and notable figures, I believe it is safe to assume the majority of Cash App scammers are using stolen images and video content to create fake personas.

Cash App Phishing

During my research, I also encountered attempts at phishing Cash App users. A user named @dropyourcashtag was riding the #CashAppFriday hashtag, DMing users about winning the giveaway, sending the payment along with a link to a website, saying  “go on and receive it.”

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Unlike most apps and services, Cash App does not ask for a password. Instead, it asks for an email address or phone number as the username, which triggers a request for a one-time use “login code,” also known as a one-time password (OTP). The code is delivered to the user’s email address or mobile phone, as seen in the image below.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Therefore, Cash App phishing websites will look different from a normal phishing website.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

In the example above, the Cash App phishing website prefaces that the cashtag “$cash” (which isn’t affiliated with Cash App) has “initiated deposit of $1000 to your Cashapp.” 

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

The Cash App phishing website uses a valid Secure Sockets Layer (SSL) certificate obtained from Let’s Encrypt and asks for an email or mobile number. It is followed by a second screen, which asks the user to provide their OTP. Inputting an invalid OTP results in an error message, which implies there may be some type of verification happening to ensure the user provides their valid OTP. To safeguard my privacy during this research, I did not provide my OTP.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

However, I did observe a Twitter user who proceeded to provide their information to one of these Cash App phishing websites and reached a fake webpage saying “Payment Failed.” The error message would likely trick the user into believing there was merely a technical problem in sending the so-called giveaway payment, rather than a scam.

I was able to identify at least two Cash App phishing links, both of which used the Bitly URL shortening service. Statistics from those two links showed they each received over 500 clicks, mostly from users in the United States with a few clicks from the United Kingdom, Nigeria, Philippines, Australia and Guatemala. While Cash App is available outside the United States, the giveaways for #SuperCashAppFriday and #CashAppFriday are limited to U.S. participants.

Golpes de aplicativos de dinheiro:Brindes legítimos aumentam golpistas oportunistas

Tenable notified Cash App about our research findings prior to publication. A spokesperson for Cash App provided us with the following statement:

"We are aware of social media accounts that claim to be associated with Cash App. We have been working with Twitter and Instagram to deactivate all accounts that infringe our intellectual property rights (eg: use our name or logo without permission) or seek to take advantage of our customers.

As a reminder, the Cash App team will never ask customers to send them money, nor will they solicit a customer’s PIN or sign-in code outside of the app. Additionally, Cash App currently has only two official Twitter accounts, @cashapp and @cashsupport, both of which have blue, verified check marks. If you believe you have fallen victim to a scam, you should contact Cash App support through the app or website immediately." 

In part two of this series, I provide details on how Cash App scammers similarly operate on Instagram and explore how scammers are creating YouTube videos claiming to offer ways to earn free money through Cash App by downloading apps. Part two also includes tips and best practices to help users avoid falling for these schemes.

Inscreva-se no blog da Tenable

Inscrever-se
Teste gratuito Comprar agora

Teste o Tenable.io

GRÁTIS POR 30 DIAS

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Inscreva-se agora mesmo.

Comprar o Tenable.io

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

65 ativos

US$ 2.190,00

Compre já

Teste gratuito Comprar agora

Teste gratuitamente o Nessus Professional

GRÁTIS POR 7 DIAS

O Nessus® é o verificador de vulnerabilidades mais abrangente do mercado atualmente. O Nessus Professional ajudará a automatizar o processo de verificação de vulnerabilidades, economizar tempo nos seus ciclos de conformidade e permitirá que você envolva a sua equipe de TI.

Comprar o Nessus Professional

O Nessus® é o verificador de vulnerabilidades mais abrangente do mercado atualmente. O Nessus Professional ajudará a automatizar o processo de verificação de vulnerabilidades, economizar tempo nos seus ciclos de conformidade e permitirá que você envolva a sua equipe de TI.

Compre uma licença para vários anos e economize. Inclua o Suporte Avançado ao acesso do suporte por telefone, email, comunidade e bate-papo 24 horas por dia, 365 dias por ano. Detalhes completos aqui.

Teste gratuito Comprar agora

Teste o Tenable.io Web Application Scanning

GRÁTIS POR 30 DIAS

Tenha acesso completo à nossa oferta mais recente de verificação de aplicações Web desenvolvida para aplicações modernas como parte da plataforma do Tenable.io. Verifique com segurança por vulnerabilidades em todo o seu portfólio online com um alto grau de precisão sem grandes esforços manuais ou interrupção de aplicações Web críticas. Inscreva-se agora mesmo.

Comprar o Tenable.io Web Application Scanning

Tenha acesso completo a uma plataforma moderna de gerenciamento de vulnerabilidades baseada na nuvem, que permite que você veja e rastreie todos os seus ativos com uma precisão sem precedentes. Compre hoje a sua assinatura anual.

5 FQDNs

US$ 3.578,00

Compre já

Teste gratuito Entre em contato com o setor de vendas

Teste o Tenable.io Container Security

GRÁTIS POR 30 DIAS

Tenha acesso completo à única oferta de segurança de contêiner integrada a uma plataforma de gerenciamento de vulnerabilidades. Monitore imagens de contêiner por vulnerabilidades, malware e violações de segurança. Unifique sistemas de integração contínua e implantação contínua (CI/CD) para dar suporte às práticas de DevOps, reforçar a segurança e ajudar na conformidade com as políticas da empresa.

Comprar o Tenable.io Container Security

O Tenable.io Container Security habilita com perfeição e segurança os processos de DevOps ao fornecer visibilidade da segurança das imagens de contêiner, incluindo vulnerabilidades, malware e violações de segurança através da integração com o processo de compilação.

Saiba mais sobre o lndustrial Security

Receba uma demonstração do Tenable.sc

Insira suas informações no formulário abaixo e um representante de vendas entrará em contato assim que possível para agendar uma demonstração. Você também pode inserir um comentário breve (limite de 255 caracteres). Os campos marcados com asterisco (*) são obrigatórios.

Teste gratuito Entre em contato com o setor de vendas

Avalie o Tenable Lumin

GRÁTIS POR 30 DIAS

Visualize e explore sua Cyber Exposure, monitore a redução do risco ao longo do tempo e faça uma análise comparativa com outras empresas do mesmo setor com o Tenable Lumin.

Compre o Tenable Lumin

Entre em contato com um representante de vendas para ver como o Lumin pode ajudar você a obter informações sobre toda a organização e gerenciar o risco cibernético.

Solicite uma demonstração do Tenable.ot

Obtenha a segurança de tecnologia operacional de que você precisa.
Reduza o risco de que você não precisa.