On August 21, a pump and dump penny stock scam targeting US users, and spread using WhatsApp, drove the share price of Avra Inc, a digital currency company, by 640% from its opening price of $0.17 to its peak of $1.26. What is unique about this scam is its use of WhatsApp to spread the threat, essentially using mobile applications to resurrect schemes that are dying out on email.
This scam started with variants of the following message being sent to WhatsApp users:
The message was recommending a buy of the stock for Avra Inc., which trades on OTCMKTS under AVRN. Avra specializes in solutions for the digital currency markets (Bitcoin), with several different areas of focus. However according to their latest 10-Q filing at the OTC – they are a company whose financials are exceptionally weak, who have never made any revenue and with total assets of just over $26k. In fact, Avra has previously identified as a stock that was promoted heavily in the past, with warnings not to buy.
The scam broken out by time and profit
If we break down the share trading activity for August 21, we can see definite signs of when the pump and the dump occur. The OTC opens at 9.30am EST, but no activity occurs until 10:03 when some small trading begins. The stock rapidly increased in the morning, reaching a peak around 11:03. Around this period there is some trading that causes a slight drop, and then the price finally crashed. It is supposed that in this period the fraudsters dump their stock, gaining the maximum value. Everything after this point are trades which cause little change in aggregate to the stock price, even though the volume is much larger. This activity in the later stage of the day is more likely to be those who received the message either buying or selling the stock, and market speculators attempting to trade on the volatility which has essentially ceased.
Altogether, the total value that changed hand in this one day (volume x average share price for that minute) was $1.713 million dollars, with the period of the large price increase & decrease (from 10:40 to 11:25) accounting for $636k, and the spike alone on the 11:03 responsible for around $93k. In can be considered that this is probably a good initial ball-park figure for the amount received by the fraudsters.
From Russia with Love
The attack seems to have been begun with messages being sent in the early hours/morning of Friday the 21st , to US WhatsApp users. The scam used the tactic of adding a user to a WhatsApp group and sending him the message, before removing him from the group, while the name of the group itself is modified.
Previously we saw Whatsapp spam originating from China, India and US OTT numbers. This attack was different in that it originated from Russian mobile numbers (+79). WhatsApp spam from Russian sources have not been a major feature up to now, other than some adult type spam messages, so it seems likely for this attack that the fraudsters decided to work with the same Russian WhatsApp spam sending group or a group very like it, as the same method of adding a number at the start and end of the message is identical- here highlighted with a red box.
Old scams, new stock & technology, same old result?
Ultimately, as we predicted at the start of the year, WhatsApp is going to receive more and more of these type of attacks. They have already taken some action by allowing users to report spam that they received within groups, but this seemingly did not prevent this attack occurring, and with the money earned by these fraudsters, there is every reason to assume that they will try again.
In fact it will be interesting to see if there is another pump-and-dump attacks in the next few weeks, as some of the ‘friends’ in the various messages reported. While various commentators on social media say that they will move from WhatsApp to other messaging apps, this ignores the point that the same thing may eventually arise there. These attack types are not new, only the medium on which they are being sent, therefore all messaging app companies should try to prepare in advance for these type of attacks, and use the expertise and experiences of the wider messaging security industry.