Deep Fake Monitoing
Scam
Threat Intelligence
6
mins read

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Gagan Aggarwal
October 4, 2024
Green Alert
Last Update posted on
October 4, 2024

Schedule a Demo
Table of Contents
Author(s)
No items found.

In a recent development, our team at Cloudsek has uncovered a noteworthy trend involving several high-net-worth individuals endorsing a gaming application. This promotional effort features prominent figures from various sectors, including business magnates and sports icons. In India, we have identified renowned personalities such as Mukesh Ambani, the chairman of Reliance Industries; cricket superstar Virat Kohli; Anant Ambani; and Olympic medalist Neeraj Chopra, all lending their influence to this mobile gaming initiative.

On the international stage, the trend extends to globally recognized figures, including soccer legend Cristiano Ronaldo, popular content creator James Donaldson—better known as Mr. Beast, Deadpool aka Ryan Reynolds, and acclaimed Pakistani actress Hania Aamir. This surge in endorsements by high-profile individuals highlights a strategic marketing approach aimed at attracting diverse audiences to the gaming platform. As this phenomenon continues to evolve, it raises essential questions about the implications for both the gaming industry and consumer behavior, warranting a closer examination of the strategies employed and the potential impacts on the market.

Mr. Beast for Africa promotions

Description: The video describes Aviator, an investment game where users can earn money by investing a small deposit. The video shows an airplane flying with a multiplier of 17, 50, or 150, and the user automatically gets money by investing 1,000 Kenyan shillings. The video encourages viewers to download the Aviator app and take advantage of the bonus.

Key Organisations: Google Play, Bank of Africa, BMCE Group, Visa.

Virat Kohli for South Asia promotions

Deadpool aka Ryan Reynolds Deep fake for Aviator app

Use of Prominent News Channels

The promotional videos often commence with a news anchor discussing the mobile application and its impact on individuals from various backgrounds, emphasizing how it has helped people improve their daily lives. These segments frequently feature trusted news channels such as Aaj Tak, Republic TV, Zee News, and ARY News, as well as selected Kenyan news outlets.

Shweta Singh presenting news about Virat Kohli’s Investments

Notable Indian news anchors like Shweta Singh from Aaj Tak, Arnab Goswami from Republic TV, and Sudheer Choudhary from Zee News lend their credibility to these promotions, enhancing the perceived legitimacy of the application. By leveraging the influence of established media figures, these marketing campaigns aim to resonate with a wider audience, tapping into the trust that viewers place in reputable news sources. This strategy not only amplifies the reach of the mobile application but also positions it as a valuable tool for improving everyday life.

Modus Operandi:

This Campaign starts with creating multiple fake domains, at least a week before the Ads are published on Facebook and Instagram. Mainly hosted on [.]top, [.]fun, [.]world top-level domains. As per our research, daily their 1k+ domains with the same web app hosted on them are registered for [.]top Top-Level-Domain (TLD), Origin Country for these domains - Belize (Central America)  and the ISP used specifically for[.]top domains is  IQWeb FZ-LLC.

A domain recently identified: Luckyavin[.]fun

whois details

fake domain of Google PlayStore - luckyavin[.]fun

Google Play Store Phishing links

These domains are designed to resemble Google Play Store or Apple App Store look-alikes, often featuring similar layouts and functionalities. Some of these sites even incorporate the official Google or Apple logos to enhance their legitimacy. To further deceive users, they include hard-coded comments and other data, making the websites appear more authentic to everyday consumers. Many users, particularly those who may not scrutinize the details closely, could easily be misled by these imitations. This tactic exploits the trust that individuals place in official app stores, ultimately aiming to lure unsuspecting users into downloading potentially harmful applications.

Google look-alike backlinked to Avatarsky[.]one

Google Playstore fake domain with icon - Aviatorpower[.]lol

Hard coded comments to make the site look legit

Apple Fake Domain

These domains are then back linked into the ads looking something like this.

Facebook Ad

In some cases, the link verifies the request to be originating from facebook, only then it redirects to a Google fake domain, otherwise nginx redirects the client to a simple website. This is most likely achieved using the ‘fbp’ string sent as a query parameter. 

The Deep fake Ad Video:

The videos start with a deepfake of the news anchor discussing how the mobile gaming application has been helping individuals to earn money, and how many people have come out of poverty after using the gaming application. This is followed by another deepfake now altering facial attributes for branded individuals like Virat Kohli, who has been highly targeted in this campaign. Here, two cases have been observed:

  1. Individuals have been seen promoting the application, claiming how they have been playing on the app and earning more than 50K daily.
  2. Individuals, especially Virat Kohli, Mukesh Ambani and Anant Ambani are seen talking about how they have invested in this application to help other people.

In both the scenarios, the aim has been to attract more and more people to put money into the game. 

Though the initial phase sees deepfake videos, recent change in trend includes deepfake video, processing for a few seconds, followed by a static image such as a clock, or transcript written over the screen. This is most likely to avoid detections from Meta. 

Coverage:

The mobile application, which was initially designed to cater to the European Union (EU) population, has undergone a strategic shift in its marketing approach. As of early September, the focus has expanded significantly to target the Indian population, reflecting a keen interest in tapping into the diverse and rapidly growing user base in India. This shift also encompasses outreach efforts to several other regions, including Nigeria, Pakistan, Bangladesh, Saudi Arabia, and various countries in Southeast Asia. 

Despite this broadening of target demographics, it is noteworthy that no instances of deepfake technology have been identified in connection with the promotional efforts aimed at the EU region. This absence raises interesting questions about the marketing strategies employed in different areas and suggests that the use of deepfakes may be more prevalent or accepted in other markets. As the application continues to expand its reach, monitoring these developments will be crucial for understanding the implications of such marketing tactics on user engagement and trust across different cultures and regions.

 

The Application:

From the fake playstore, if a visitor tries to install the game, a pop-up window appears requesting to install the app. 

The installation in fact is a proxy_chrome that is installed, which through another [.]top domain launches a supposed ‘1win’ login.

Proxy_chrome.exe installed on the victim machine for scam, accessed through fake domain

UI showing 2500+ people playing the game in real time

The reach of the application is easily visible as seen above, that at a given time, 2.5K individuals are seen playing the game.

The catch is that to play the game a minimum top-up of Rs. 300 is required, so anyone who just wants to try their luck once also needs to pay Rs. 300, making scammers some base amount every time. Based on different countries, payment methods like UPI, AstroPay, VISA, MASTERCARD, and Crypto currencies like BTC, Ether, USDT are also available. This is what makes the scam a greater threat as there is no limitation to methods of scam.

payment options for India

While we deep dived into the application, and went through the live comments being shared, pretty soon it was clear that similar to pig butchering scams, the players are given initial profits on small hands they play, which is followed by heavy investments by these players leading to huge losses. Multiple players are seen in the comments demanding a valid Support number as the numbers available on the site were not responding to any queries. 

Conclusion:

In conclusion, the emergence of deepfake technology has posed significant risks particularly through the proliferation of fake gaming applications. These deceptive apps often leverage deepfake techniques to create convincing avatars or content that can mislead users. Targeting vulnerable populations, they exploit trust in gaming culture and the desire for social interaction. The consequences can be severe, including identity theft, harassment, and the manipulation of personal data for malicious purposes. As these threats evolve, it is crucial for stakeholders—governments, tech companies, and communities—to implement robust digital literacy programs, enhance cybersecurity measures, and promote awareness of the dangers associated with deep fakes. By fostering a more informed and vigilant user base, we can mitigate the risks posed by these malicious technologies and protect individuals from exploitation.

CloudSEK has launched a Deep Fake Analyzer Tool, that is a free tool designed for the cybersecurity community. It identifies manipulated videos, images, and audio, helping professionals safeguard their organizations from deepfake threats. To know more: https://community.cloudsek.com/

Author

Gagan Aggarwal

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Adversary Intelligence
June 26, 2024

Cybersecurity Threat Advisory: Recent Attacks Targeting Indian BFSI Sector

This advisory highlights recent attacks on Indian banks, focusing on two primary attack vectors: geopolitical tensions and credential stealers/social media account takeovers.

Blog Image
Adversary Intelligence
March 5, 2024

Shadow Banking in Your Pocket: Exposing Android App Used by Money Mules

CloudSEK's Threat Intelligence (TI) team continued its investigation and has uncovered a network of money mules, posing a significant risk to the Indian banking ecosystem.

Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Deep Fake Monitoing
Scam
Threat Intelligence

6

min read

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Authors
Gagan Aggarwal
Co-Authors
No items found.

In a recent development, our team at Cloudsek has uncovered a noteworthy trend involving several high-net-worth individuals endorsing a gaming application. This promotional effort features prominent figures from various sectors, including business magnates and sports icons. In India, we have identified renowned personalities such as Mukesh Ambani, the chairman of Reliance Industries; cricket superstar Virat Kohli; Anant Ambani; and Olympic medalist Neeraj Chopra, all lending their influence to this mobile gaming initiative.

On the international stage, the trend extends to globally recognized figures, including soccer legend Cristiano Ronaldo, popular content creator James Donaldson—better known as Mr. Beast, Deadpool aka Ryan Reynolds, and acclaimed Pakistani actress Hania Aamir. This surge in endorsements by high-profile individuals highlights a strategic marketing approach aimed at attracting diverse audiences to the gaming platform. As this phenomenon continues to evolve, it raises essential questions about the implications for both the gaming industry and consumer behavior, warranting a closer examination of the strategies employed and the potential impacts on the market.

Mr. Beast for Africa promotions

Description: The video describes Aviator, an investment game where users can earn money by investing a small deposit. The video shows an airplane flying with a multiplier of 17, 50, or 150, and the user automatically gets money by investing 1,000 Kenyan shillings. The video encourages viewers to download the Aviator app and take advantage of the bonus.

Key Organisations: Google Play, Bank of Africa, BMCE Group, Visa.

Virat Kohli for South Asia promotions

Deadpool aka Ryan Reynolds Deep fake for Aviator app

Use of Prominent News Channels

The promotional videos often commence with a news anchor discussing the mobile application and its impact on individuals from various backgrounds, emphasizing how it has helped people improve their daily lives. These segments frequently feature trusted news channels such as Aaj Tak, Republic TV, Zee News, and ARY News, as well as selected Kenyan news outlets.

Shweta Singh presenting news about Virat Kohli’s Investments

Notable Indian news anchors like Shweta Singh from Aaj Tak, Arnab Goswami from Republic TV, and Sudheer Choudhary from Zee News lend their credibility to these promotions, enhancing the perceived legitimacy of the application. By leveraging the influence of established media figures, these marketing campaigns aim to resonate with a wider audience, tapping into the trust that viewers place in reputable news sources. This strategy not only amplifies the reach of the mobile application but also positions it as a valuable tool for improving everyday life.

Modus Operandi:

This Campaign starts with creating multiple fake domains, at least a week before the Ads are published on Facebook and Instagram. Mainly hosted on [.]top, [.]fun, [.]world top-level domains. As per our research, daily their 1k+ domains with the same web app hosted on them are registered for [.]top Top-Level-Domain (TLD), Origin Country for these domains - Belize (Central America)  and the ISP used specifically for[.]top domains is  IQWeb FZ-LLC.

A domain recently identified: Luckyavin[.]fun

whois details

fake domain of Google PlayStore - luckyavin[.]fun

Google Play Store Phishing links

These domains are designed to resemble Google Play Store or Apple App Store look-alikes, often featuring similar layouts and functionalities. Some of these sites even incorporate the official Google or Apple logos to enhance their legitimacy. To further deceive users, they include hard-coded comments and other data, making the websites appear more authentic to everyday consumers. Many users, particularly those who may not scrutinize the details closely, could easily be misled by these imitations. This tactic exploits the trust that individuals place in official app stores, ultimately aiming to lure unsuspecting users into downloading potentially harmful applications.

Google look-alike backlinked to Avatarsky[.]one

Google Playstore fake domain with icon - Aviatorpower[.]lol

Hard coded comments to make the site look legit

Apple Fake Domain

These domains are then back linked into the ads looking something like this.

Facebook Ad

In some cases, the link verifies the request to be originating from facebook, only then it redirects to a Google fake domain, otherwise nginx redirects the client to a simple website. This is most likely achieved using the ‘fbp’ string sent as a query parameter. 

The Deep fake Ad Video:

The videos start with a deepfake of the news anchor discussing how the mobile gaming application has been helping individuals to earn money, and how many people have come out of poverty after using the gaming application. This is followed by another deepfake now altering facial attributes for branded individuals like Virat Kohli, who has been highly targeted in this campaign. Here, two cases have been observed:

  1. Individuals have been seen promoting the application, claiming how they have been playing on the app and earning more than 50K daily.
  2. Individuals, especially Virat Kohli, Mukesh Ambani and Anant Ambani are seen talking about how they have invested in this application to help other people.

In both the scenarios, the aim has been to attract more and more people to put money into the game. 

Though the initial phase sees deepfake videos, recent change in trend includes deepfake video, processing for a few seconds, followed by a static image such as a clock, or transcript written over the screen. This is most likely to avoid detections from Meta. 

Coverage:

The mobile application, which was initially designed to cater to the European Union (EU) population, has undergone a strategic shift in its marketing approach. As of early September, the focus has expanded significantly to target the Indian population, reflecting a keen interest in tapping into the diverse and rapidly growing user base in India. This shift also encompasses outreach efforts to several other regions, including Nigeria, Pakistan, Bangladesh, Saudi Arabia, and various countries in Southeast Asia. 

Despite this broadening of target demographics, it is noteworthy that no instances of deepfake technology have been identified in connection with the promotional efforts aimed at the EU region. This absence raises interesting questions about the marketing strategies employed in different areas and suggests that the use of deepfakes may be more prevalent or accepted in other markets. As the application continues to expand its reach, monitoring these developments will be crucial for understanding the implications of such marketing tactics on user engagement and trust across different cultures and regions.

 

The Application:

From the fake playstore, if a visitor tries to install the game, a pop-up window appears requesting to install the app. 

The installation in fact is a proxy_chrome that is installed, which through another [.]top domain launches a supposed ‘1win’ login.

Proxy_chrome.exe installed on the victim machine for scam, accessed through fake domain

UI showing 2500+ people playing the game in real time

The reach of the application is easily visible as seen above, that at a given time, 2.5K individuals are seen playing the game.

The catch is that to play the game a minimum top-up of Rs. 300 is required, so anyone who just wants to try their luck once also needs to pay Rs. 300, making scammers some base amount every time. Based on different countries, payment methods like UPI, AstroPay, VISA, MASTERCARD, and Crypto currencies like BTC, Ether, USDT are also available. This is what makes the scam a greater threat as there is no limitation to methods of scam.

payment options for India

While we deep dived into the application, and went through the live comments being shared, pretty soon it was clear that similar to pig butchering scams, the players are given initial profits on small hands they play, which is followed by heavy investments by these players leading to huge losses. Multiple players are seen in the comments demanding a valid Support number as the numbers available on the site were not responding to any queries. 

Conclusion:

In conclusion, the emergence of deepfake technology has posed significant risks particularly through the proliferation of fake gaming applications. These deceptive apps often leverage deepfake techniques to create convincing avatars or content that can mislead users. Targeting vulnerable populations, they exploit trust in gaming culture and the desire for social interaction. The consequences can be severe, including identity theft, harassment, and the manipulation of personal data for malicious purposes. As these threats evolve, it is crucial for stakeholders—governments, tech companies, and communities—to implement robust digital literacy programs, enhance cybersecurity measures, and promote awareness of the dangers associated with deep fakes. By fostering a more informed and vigilant user base, we can mitigate the risks posed by these malicious technologies and protect individuals from exploitation.

CloudSEK has launched a Deep Fake Analyzer Tool, that is a free tool designed for the cybersecurity community. It identifies manipulated videos, images, and audio, helping professionals safeguard their organizations from deepfake threats. To know more: https://community.cloudsek.com/