A sophisticated attack targets Web3 professionals and tricks them into running malicious code on their systems during fake interviews, as part of a lucrative offer from crypto scammers disguised as recruiters.
On December 28, on-chain researcher Taylor Monahan marked a new scheme being leveraged by bad actors claiming to be recruiters for prominent crypto companies to approach targets with lucrative job offers on platforms like LinkedIn, freelance platforms, Telegram, etc.
Once the victim is interested, they are redirected to a video interview platform called “Willo | Video Interviewing’, which is not malicious in itself, but is intended to make the entire scheme seem convincing to the victims.
As part of the process, victims are initially asked standard industry-related questions, such as their thoughts on key crypto trends over the next twelve months. These questions help build trust and make the interaction seem legitimate.
However, the real attack occurs during the final question, which requires it to be videotaped. When setting up the video recording process, victims encounter a technical problem with their microphone or camera.
This is when the real attack takes place, as the website presents malicious troubleshooting steps masked as a solution to the problem.
According to Monahan, if a user follows the steps, which in some cases require executing system-level commands depending on their operating system, they give attackers backdoor access to their devices.
“It allows them to do anything on your device. It’s not really a general purpose stealer, it’s general purpose access. In the end, they will convince you in any way they can,” Monahan wrote.
This access could potentially allow malicious actors to bypass security measures, install malware, monitor activity, steal sensitive data, or empty cryptocurrency wallets without the victim’s knowledge, based on typical results seen in similar attacks observed.
Monahan advised crypto users to avoid using unknown code and advised those who may have been exposed to such attacks to completely wipe their devices to prevent further compromise.
The attack is a departure from the usual tactics seen in similar recruitment scams. For example, earlier this month cybersecurity firm Cado Security Labs discovered a scheme involving a fake meeting application that injected malware, allowing attackers to drain cryptocurrency wallets and steal browser-stored login credentials.
Similarly, crypto.news reported an incident last year in which scammers targeted blockchain developers on Upwork, directing them to download and debug malicious npm packages hosted on a GitHub repository. Once executed, these packages implemented scripts that allowed attackers to remotely access victims’ devices.