Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Gagan Aggarwal
October 4, 2024
Green Alert
Last Update posted on
October 4, 2024
Table of Contents
Author(s)
No items found.

In a recent development, our team at Cloudsek has uncovered a noteworthy trend involving several high-net-worth individuals endorsing a gaming application. This promotional effort features prominent figures from various sectors, including business magnates and sports icons. In India, we have identified renowned personalities such as Mukesh Ambani, the chairman of Reliance Industries; cricket superstar Virat Kohli; Anant Ambani; and Olympic medalist Neeraj Chopra, all lending their influence to this mobile gaming initiative.

On the international stage, the trend extends to globally recognized figures, including soccer legend Cristiano Ronaldo, popular content creator James Donaldson—better known as Mr. Beast, Deadpool aka Ryan Reynolds, and acclaimed Pakistani actress Hania Aamir. This surge in endorsements by high-profile individuals highlights a strategic marketing approach aimed at attracting diverse audiences to the gaming platform. As this phenomenon continues to evolve, it raises essential questions about the implications for both the gaming industry and consumer behavior, warranting a closer examination of the strategies employed and the potential impacts on the market.

Mr. Beast for Africa promotions

Description: The video describes Aviator, an investment game where users can earn money by investing a small deposit. The video shows an airplane flying with a multiplier of 17, 50, or 150, and the user automatically gets money by investing 1,000 Kenyan shillings. The video encourages viewers to download the Aviator app and take advantage of the bonus.

Key Organisations: Google Play, Bank of Africa, BMCE Group, Visa.

Virat Kohli for South Asia promotions

Deadpool aka Ryan Reynolds Deep fake for Aviator app

Use of Prominent News Channels

The promotional videos often commence with a news anchor discussing the mobile application and its impact on individuals from various backgrounds, emphasizing how it has helped people improve their daily lives. These segments frequently feature trusted news channels such as Aaj Tak, Republic TV, Zee News, and ARY News, as well as selected Kenyan news outlets.

Shweta Singh presenting news about Virat Kohli’s Investments

Notable Indian news anchors like Shweta Singh from Aaj Tak, Arnab Goswami from Republic TV, and Sudheer Choudhary from Zee News lend their credibility to these promotions, enhancing the perceived legitimacy of the application. By leveraging the influence of established media figures, these marketing campaigns aim to resonate with a wider audience, tapping into the trust that viewers place in reputable news sources. This strategy not only amplifies the reach of the mobile application but also positions it as a valuable tool for improving everyday life.

Modus Operandi:

This Campaign starts with creating multiple fake domains, at least a week before the Ads are published on Facebook and Instagram. Mainly hosted on [.]top, [.]fun, [.]world top-level domains. As per our research, daily their 1k+ domains with the same web app hosted on them are registered for [.]top Top-Level-Domain (TLD), Origin Country for these domains - Belize (Central America)  and the ISP used specifically for[.]top domains is  IQWeb FZ-LLC.

A domain recently identified: Luckyavin[.]fun

whois details

fake domain of Google PlayStore - luckyavin[.]fun

Google Play Store Phishing links

These domains are designed to resemble Google Play Store or Apple App Store look-alikes, often featuring similar layouts and functionalities. Some of these sites even incorporate the official Google or Apple logos to enhance their legitimacy. To further deceive users, they include hard-coded comments and other data, making the websites appear more authentic to everyday consumers. Many users, particularly those who may not scrutinize the details closely, could easily be misled by these imitations. This tactic exploits the trust that individuals place in official app stores, ultimately aiming to lure unsuspecting users into downloading potentially harmful applications.

Google look-alike backlinked to Avatarsky[.]one

Google Playstore fake domain with icon - Aviatorpower[.]lol

Hard coded comments to make the site look legit

Apple Fake Domain

These domains are then back linked into the ads looking something like this.

Facebook Ad

In some cases, the link verifies the request to be originating from facebook, only then it redirects to a Google fake domain, otherwise nginx redirects the client to a simple website. This is most likely achieved using the ‘fbp’ string sent as a query parameter. 

The Deep fake Ad Video:

The videos start with a deepfake of the news anchor discussing how the mobile gaming application has been helping individuals to earn money, and how many people have come out of poverty after using the gaming application. This is followed by another deepfake now altering facial attributes for branded individuals like Virat Kohli, who has been highly targeted in this campaign. Here, two cases have been observed:

  1. Individuals have been seen promoting the application, claiming how they have been playing on the app and earning more than 50K daily.
  2. Individuals, especially Virat Kohli, Mukesh Ambani and Anant Ambani are seen talking about how they have invested in this application to help other people.

In both the scenarios, the aim has been to attract more and more people to put money into the game. 

Though the initial phase sees deepfake videos, recent change in trend includes deepfake video, processing for a few seconds, followed by a static image such as a clock, or transcript written over the screen. This is most likely to avoid detections from Meta. 

Coverage:

The mobile application, which was initially designed to cater to the European Union (EU) population, has undergone a strategic shift in its marketing approach. As of early September, the focus has expanded significantly to target the Indian population, reflecting a keen interest in tapping into the diverse and rapidly growing user base in India. This shift also encompasses outreach efforts to several other regions, including Nigeria, Pakistan, Bangladesh, Saudi Arabia, and various countries in Southeast Asia. 

Despite this broadening of target demographics, it is noteworthy that no instances of deepfake technology have been identified in connection with the promotional efforts aimed at the EU region. This absence raises interesting questions about the marketing strategies employed in different areas and suggests that the use of deepfakes may be more prevalent or accepted in other markets. As the application continues to expand its reach, monitoring these developments will be crucial for understanding the implications of such marketing tactics on user engagement and trust across different cultures and regions.

 

The Application:

From the fake playstore, if a visitor tries to install the game, a pop-up window appears requesting to install the app. 

The installation in fact is a proxy_chrome that is installed, which through another [.]top domain launches a supposed ‘1win’ login.

Proxy_chrome.exe installed on the victim machine for scam, accessed through fake domain

UI showing 2500+ people playing the game in real time

The reach of the application is easily visible as seen above, that at a given time, 2.5K individuals are seen playing the game.

The catch is that to play the game a minimum top-up of Rs. 300 is required, so anyone who just wants to try their luck once also needs to pay Rs. 300, making scammers some base amount every time. Based on different countries, payment methods like UPI, AstroPay, VISA, MASTERCARD, and Crypto currencies like BTC, Ether, USDT are also available. This is what makes the scam a greater threat as there is no limitation to methods of scam.

payment options for India

While we deep dived into the application, and went through the live comments being shared, pretty soon it was clear that similar to pig butchering scams, the players are given initial profits on small hands they play, which is followed by heavy investments by these players leading to huge losses. Multiple players are seen in the comments demanding a valid Support number as the numbers available on the site were not responding to any queries. 

Conclusion:

In conclusion, the emergence of deepfake technology has posed significant risks particularly through the proliferation of fake gaming applications. These deceptive apps often leverage deepfake techniques to create convincing avatars or content that can mislead users. Targeting vulnerable populations, they exploit trust in gaming culture and the desire for social interaction. The consequences can be severe, including identity theft, harassment, and the manipulation of personal data for malicious purposes. As these threats evolve, it is crucial for stakeholders—governments, tech companies, and communities—to implement robust digital literacy programs, enhance cybersecurity measures, and promote awareness of the dangers associated with deep fakes. By fostering a more informed and vigilant user base, we can mitigate the risks posed by these malicious technologies and protect individuals from exploitation.

CloudSEK has launched a Deep Fake Analyzer Tool, that is a free tool designed for the cybersecurity community. It identifies manipulated videos, images, and audio, helping professionals safeguard their organizations from deepfake threats. To know more: https://community.cloudsek.com/

Predict Cyber threats against your organization

Related Posts
Blog Image
October 29, 2024

Heightened risk of online scams and phishing attacks amidst 2024 Diwali celebration

Amidst the 2024 Diwali celebrations, CloudSEK's Threat Research team has identified a surge in online scams and phishing attacks targeting Indian consumers. Scammers are leveraging the festive season’s online shopping boom to create fake e-commerce sites, job offers, and firecracker sales scams, impersonating well-known brands to deceive users. Victims are often lured with deep discounts and fake promotions, resulting in financial losses, identity theft, and privacy breaches. The report emphasizes vigilance and provides recommendations to avoid direct bank transfers, verify website authenticity, and share safety tips with loved ones to prevent further scams.

Blog Image
October 25, 2024

US Elections Under Threat: CloudSEK Highlights Deepfake Concerns

Deepfakes, realistic yet AI-manipulated media, pose a serious threat to the integrity of US elections. These fabricated videos and images, which use advanced algorithms to alter visual and auditory elements, have been increasingly used to manipulate voter perceptions. During the 2024 US elections, notable examples include deepfakes showing Donald Trump making controversial statements and fabricated endorsements from public figures like Taylor Swift. Scammers have also exploited deepfakes in social media ads, such as offering fake "Trump Fight for America" gold coins, falsely attributing endorsements to high-profile individuals, and running cryptocurrency scams featuring deepfake videos of Elon Musk. Such digital manipulations risk misleading the public and spreading misinformation, eroding trust in democratic institutions and media. To counteract this, CloudSek’s cutting-edge deepfake detection tools identify subtle anomalies in altered media, such as inconsistencies in facial expressions or voice modulations. These tools are essential in swiftly verifying and debunking deepfake content, helping maintain transparency and fairness in the electoral process.

Blog Image
October 25, 2024

Uncovering the Lounge Pass Scam Campaign: Targeted Android SMS Stealer Preying on Air Travellers

CloudSEK’s Threat Research Team uncovered a sophisticated scam targeting air travelers at Indian airports. The fraud involves a malicious Android application named Lounge Pass, distributed through fake domains like loungepass.in. This app secretly intercepts and forwards SMS messages from victims’ devices to cybercriminals, resulting in significant financial losses. The investigation revealed that between July and August 2024, over 450 travelers unknowingly installed the fraudulent app, resulting in a reported theft of more than INR 9 lakhs (approx. $11,000). The scammers exploited an exposed Firebase endpoint to store stolen SMS messages. Through domain analysis and passive DNS data, researchers identified several related domains spreading similar APKs. Key recommendations include downloading apps only from official stores, avoiding scanning random QR codes, and never granting SMS access to travel or lounge apps. Travelers should book lounge access through official channels and stay vigilant to protect their personal data. Stay updated on the latest scams and protect your travel data by following these guidelines.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Deep Fake Monitoing
Scam
Threat Intelligence

6

min read

Deepfake Controversy: Scammers Use Deepfakes of Virat Kohli, Anant Ambani to Fraud

CloudSEK’s latest research uncovers a troubling trend involving scammers using deepfake technology to promote fraudulent mobile applications. High-profile individuals, such as Virat Kohli, Anant Ambani, and even international figures like Cristiano Ronaldo and Ryan Reynolds, have been targeted through deepfake videos. These manipulated clips showcase them endorsing a mobile gaming app, luring unsuspecting users into scams. The fraudulent ads leverage the credibility of renowned news channels to enhance their legitimacy, fooling users into downloading harmful applications from fake domains resembling Google Play or Apple App Store. This emerging threat is particularly aimed at the Indian market but extends to other regions like Nigeria, Pakistan, and Southeast Asia. The deceptive gaming apps, designed to siphon money from users, require a minimum deposit, promising quick earnings but leading to significant financial losses. These scams exploit deepfake videos in creative ways to bypass detection, making them even more dangerous. To combat this growing threat, CloudSEK’s Deep Fake Analyzer offers a free solution for the cybersecurity community, helping professionals detect and mitigate the risks posed by manipulated videos, images, and audio. This tool is crucial in safeguarding organizations from deepfake-related scams and fraud. To access the CloudSEK Deep Fake Analyzer, visit https://community.cloudsek.com/

Authors
Gagan Aggarwal
Co-Authors
No items found.

In a recent development, our team at Cloudsek has uncovered a noteworthy trend involving several high-net-worth individuals endorsing a gaming application. This promotional effort features prominent figures from various sectors, including business magnates and sports icons. In India, we have identified renowned personalities such as Mukesh Ambani, the chairman of Reliance Industries; cricket superstar Virat Kohli; Anant Ambani; and Olympic medalist Neeraj Chopra, all lending their influence to this mobile gaming initiative.

On the international stage, the trend extends to globally recognized figures, including soccer legend Cristiano Ronaldo, popular content creator James Donaldson—better known as Mr. Beast, Deadpool aka Ryan Reynolds, and acclaimed Pakistani actress Hania Aamir. This surge in endorsements by high-profile individuals highlights a strategic marketing approach aimed at attracting diverse audiences to the gaming platform. As this phenomenon continues to evolve, it raises essential questions about the implications for both the gaming industry and consumer behavior, warranting a closer examination of the strategies employed and the potential impacts on the market.

Mr. Beast for Africa promotions

Description: The video describes Aviator, an investment game where users can earn money by investing a small deposit. The video shows an airplane flying with a multiplier of 17, 50, or 150, and the user automatically gets money by investing 1,000 Kenyan shillings. The video encourages viewers to download the Aviator app and take advantage of the bonus.

Key Organisations: Google Play, Bank of Africa, BMCE Group, Visa.

Virat Kohli for South Asia promotions

Deadpool aka Ryan Reynolds Deep fake for Aviator app

Use of Prominent News Channels

The promotional videos often commence with a news anchor discussing the mobile application and its impact on individuals from various backgrounds, emphasizing how it has helped people improve their daily lives. These segments frequently feature trusted news channels such as Aaj Tak, Republic TV, Zee News, and ARY News, as well as selected Kenyan news outlets.

Shweta Singh presenting news about Virat Kohli’s Investments

Notable Indian news anchors like Shweta Singh from Aaj Tak, Arnab Goswami from Republic TV, and Sudheer Choudhary from Zee News lend their credibility to these promotions, enhancing the perceived legitimacy of the application. By leveraging the influence of established media figures, these marketing campaigns aim to resonate with a wider audience, tapping into the trust that viewers place in reputable news sources. This strategy not only amplifies the reach of the mobile application but also positions it as a valuable tool for improving everyday life.

Modus Operandi:

This Campaign starts with creating multiple fake domains, at least a week before the Ads are published on Facebook and Instagram. Mainly hosted on [.]top, [.]fun, [.]world top-level domains. As per our research, daily their 1k+ domains with the same web app hosted on them are registered for [.]top Top-Level-Domain (TLD), Origin Country for these domains - Belize (Central America)  and the ISP used specifically for[.]top domains is  IQWeb FZ-LLC.

A domain recently identified: Luckyavin[.]fun

whois details

fake domain of Google PlayStore - luckyavin[.]fun

Google Play Store Phishing links

These domains are designed to resemble Google Play Store or Apple App Store look-alikes, often featuring similar layouts and functionalities. Some of these sites even incorporate the official Google or Apple logos to enhance their legitimacy. To further deceive users, they include hard-coded comments and other data, making the websites appear more authentic to everyday consumers. Many users, particularly those who may not scrutinize the details closely, could easily be misled by these imitations. This tactic exploits the trust that individuals place in official app stores, ultimately aiming to lure unsuspecting users into downloading potentially harmful applications.

Google look-alike backlinked to Avatarsky[.]one

Google Playstore fake domain with icon - Aviatorpower[.]lol

Hard coded comments to make the site look legit

Apple Fake Domain

These domains are then back linked into the ads looking something like this.

Facebook Ad

In some cases, the link verifies the request to be originating from facebook, only then it redirects to a Google fake domain, otherwise nginx redirects the client to a simple website. This is most likely achieved using the ‘fbp’ string sent as a query parameter. 

The Deep fake Ad Video:

The videos start with a deepfake of the news anchor discussing how the mobile gaming application has been helping individuals to earn money, and how many people have come out of poverty after using the gaming application. This is followed by another deepfake now altering facial attributes for branded individuals like Virat Kohli, who has been highly targeted in this campaign. Here, two cases have been observed:

  1. Individuals have been seen promoting the application, claiming how they have been playing on the app and earning more than 50K daily.
  2. Individuals, especially Virat Kohli, Mukesh Ambani and Anant Ambani are seen talking about how they have invested in this application to help other people.

In both the scenarios, the aim has been to attract more and more people to put money into the game. 

Though the initial phase sees deepfake videos, recent change in trend includes deepfake video, processing for a few seconds, followed by a static image such as a clock, or transcript written over the screen. This is most likely to avoid detections from Meta. 

Coverage:

The mobile application, which was initially designed to cater to the European Union (EU) population, has undergone a strategic shift in its marketing approach. As of early September, the focus has expanded significantly to target the Indian population, reflecting a keen interest in tapping into the diverse and rapidly growing user base in India. This shift also encompasses outreach efforts to several other regions, including Nigeria, Pakistan, Bangladesh, Saudi Arabia, and various countries in Southeast Asia. 

Despite this broadening of target demographics, it is noteworthy that no instances of deepfake technology have been identified in connection with the promotional efforts aimed at the EU region. This absence raises interesting questions about the marketing strategies employed in different areas and suggests that the use of deepfakes may be more prevalent or accepted in other markets. As the application continues to expand its reach, monitoring these developments will be crucial for understanding the implications of such marketing tactics on user engagement and trust across different cultures and regions.

 

The Application:

From the fake playstore, if a visitor tries to install the game, a pop-up window appears requesting to install the app. 

The installation in fact is a proxy_chrome that is installed, which through another [.]top domain launches a supposed ‘1win’ login.

Proxy_chrome.exe installed on the victim machine for scam, accessed through fake domain

UI showing 2500+ people playing the game in real time

The reach of the application is easily visible as seen above, that at a given time, 2.5K individuals are seen playing the game.

The catch is that to play the game a minimum top-up of Rs. 300 is required, so anyone who just wants to try their luck once also needs to pay Rs. 300, making scammers some base amount every time. Based on different countries, payment methods like UPI, AstroPay, VISA, MASTERCARD, and Crypto currencies like BTC, Ether, USDT are also available. This is what makes the scam a greater threat as there is no limitation to methods of scam.

payment options for India

While we deep dived into the application, and went through the live comments being shared, pretty soon it was clear that similar to pig butchering scams, the players are given initial profits on small hands they play, which is followed by heavy investments by these players leading to huge losses. Multiple players are seen in the comments demanding a valid Support number as the numbers available on the site were not responding to any queries. 

Conclusion:

In conclusion, the emergence of deepfake technology has posed significant risks particularly through the proliferation of fake gaming applications. These deceptive apps often leverage deepfake techniques to create convincing avatars or content that can mislead users. Targeting vulnerable populations, they exploit trust in gaming culture and the desire for social interaction. The consequences can be severe, including identity theft, harassment, and the manipulation of personal data for malicious purposes. As these threats evolve, it is crucial for stakeholders—governments, tech companies, and communities—to implement robust digital literacy programs, enhance cybersecurity measures, and promote awareness of the dangers associated with deep fakes. By fostering a more informed and vigilant user base, we can mitigate the risks posed by these malicious technologies and protect individuals from exploitation.

CloudSEK has launched a Deep Fake Analyzer Tool, that is a free tool designed for the cybersecurity community. It identifies manipulated videos, images, and audio, helping professionals safeguard their organizations from deepfake threats. To know more: https://community.cloudsek.com/