Short and Distort Schemes Becoming More Mainstream
Whether it’s “short and distort” or “pump and dump” schemes, these types of misinformation crimes happen more than people understand, and they are typically very organized.
As of December 2022, the SEC announced charges against eight individuals in a securities fraud scheme in which they used the social media platforms Twitter and Discord to manipulate exchange-traded stocks and perform market manipulation that pumped up the stock prices.
The seven defendants were accused of buying stocks and promoting them to their followers. They allegedly encouraged their followers to buy these stocks, by sharing price targets or revealing that they were investing in them.
Individuals would sell their shares when share prices or trading volumes rose, without disclosing their plans to dump the securities while promoting them.
Pump and Dump Schemes Regularly Use Social Media
The defendants manipulated novice investors via social media, causing approximately $100 million in fraudulent profits. Daniel Knight (Twitter Handle @DipDeity), of Texas, is charged with aiding and abetting the scheme by co-hosting a podcast. On the podcast, the other defendants posed as expert traders and misled people.
Nisos operators also handled a case where the perpetrators collected real ground and aerial footage of the client’s facilities. In the perpetrator’s attempts to defame the client, they also created significant safety concerns for employees.
After the culprits had captured the footage, they claimed to know the client’s production plan, and spread false information on social media and through blogs that the client was missing important manufacturing deadlines.
Detecting Short and Distort Schemes
These scams are no different than other misinformation or disinformation campaigns.
Fake social media personas, mis-attributable infrastructure to host websites and cryptocurrency, extensive false narratives, and most importantly, outlets for mass propagation and consumption that typically include social media platforms are often used in these short and distort schemes.
Regardless of sophistication level, fraudsters will attempt to take steps to hide their true point of presence on the internet. To successfully execute, however, they will likely repeat this process dozens or more times to prepare for, carry out, and profit from an attack, which leads to opportunities to make mistakes.
- Forgetting to enable private registration when procuring domains to support an attack
- Failing to properly encrypt their traffic.
- Forgetting to properly enable a VPN or proxy prior to connecting to their command and control infrastructure.
Failing to remove PII from exchangeable image file format (EXIF) data before posting pictures of their crimes to third-party file-sharing sites or Pastebin websites.
Securely obtaining infrastructure is both hard and expensive. For most fraudsters that are financially motivated, if they can re-use elements of their infrastructure, they can increase their profits. Even short and distort scammers make mistakes. For defenders, finding these overlaps is a key element not only for attribution, but for threat prevention.
- Re-using certificates across attacks.
- Repeating specific language or other stylometric indicators between persona accounts and true-name accounts.
- Deploying the same content across different spearphish attacks or disinformation websites
- Re-using imagery across various attacks or disinformation campaigns.
- Recycling usernames and email addresses to register malicious domains.
- Recycling usernames and email addresses to subscribe to third-party file servers or virtual private servers.
Ultimately behind every attack is a human, and many threat actors have big egos. In addition to needing to monetize their operations by disseminating disinformation, some actors like the thrill of a victory but make mistakes that show their hand. In instances when ego has taken over, fraudsters feel like they have already won and can be caught because their guard is down.
- Posting online to promote themselves and their attacks using photographs that include PII or identifiable geographic landmarks in the background.
- Engaging directly with a victim, getting drawn into a boastful “blackhat” or “greyhat” conversation, and revealing specific TTPs to “prove” they conducted the attack.
- Interacting with peers in online forums to show off their skills, giving away TTPs in the process.
- Failing to use the same security protocols to talk about their attacks online as they did when they actually carried out the attacks.
Before investing, make sure to be aware of all the options, do your stock research, and have an investment strategy in place. Pay particular attention to penny stocks, as they can often be subject to short and distort schemes.
Nisos is The Managed Intelligence Company®. Our services enable security, intelligence, and trust and safety teams to leverage a world-class intelligence capability tailored to their needs. We fuse robust data collection with a deep understanding of the adversarial mindset delivering smarter defense and more effective response against advanced cyber attacks, disinformation, and abuse of digital platforms.