A new and sophisticated scam targeting web3 professionals is exploiting fake job interviews to deploy backdoor malware, tricking victims into running malicious code on their devices. This scheme, flagged by on-chain investigator Taylor Monahan on December 28, involves scammers posing as recruiters for prominent crypto firms, offering lucrative job opportunities to crypto enthusiasts on platforms like LinkedIn, Telegram, and freelancing sites.
The Scam Unfolds on a Fake Video Interview Platform
The attackers lure their targets by presenting an enticing job offer and guiding them to a seemingly legitimate video interview platform called “Willo | Video Interviewing.” While this platform itself is not malicious, it serves as a convincing front to give the appearance of a professional interview process.
Once on the platform, the victims are asked standard industry-related questions, such as their views on emerging crypto trends over the next year. These questions are designed to build rapport and make the entire interaction appear credible and genuine. However, the real attack begins during the final step of the process.
The Trick: Fake Technical Issues and Malicious Troubleshooting
At the end of the interview, victims are prompted to record their response to the last question via video. However, when they attempt to start the recording, they encounter a fake technical issue with their microphone or camera. This is where the scam takes a darker turn.
To resolve the supposed technical problem, the platform presents the victim with malicious troubleshooting steps disguised as a solution. In some cases, these steps require executing system-level commands on the victim’s device, which allows the attackers to gain backdoor access to the victim’s system.
The Risks of Backdoor Access
Once the victim unknowingly follows these steps, they unwittingly grant attackers full control over their device. Monahan warns that this backdoor access allows the scammers to do anything on the victim’s system, from installing malware and monitoring activities to stealing sensitive data and draining cryptocurrency wallets. Essentially, the attackers have full access to the device, which could result in devastating consequences for the victim.
“It’s not just a general-purpose stealer; it’s general-purpose access,” Monahan wrote, emphasizing the severity of the breach. With this level of access, attackers could bypass security protocols, install malware undetected, and potentially cause significant financial harm.
What Victims Should Do
Monahan advises crypto users to be cautious about running unfamiliar code and recommends that anyone who suspects they’ve been exposed to this attack wipe their devices completely to prevent further compromise. This kind of attack deviates from typical recruitment scams, where scammers often trick users into downloading malicious software. The new tactic focuses on exploiting the victim’s trust during an interview process.
Similar Tactics in Previous Scams
This attack represents an evolution of previous scams targeting crypto professionals. For example, earlier this month, Cado Security Labs uncovered a similar scam that used a fake meeting app to inject malware. In this case, attackers gained access to cryptocurrency wallets and browser-stored credentials.
In 2023, another scam targeted blockchain developers on Upwork, where attackers posed as recruiters and instructed victims to download and debug malicious npm packages hosted on GitHub. Once the developers executed these packages, they unknowingly granted remote access to their devices.
Stay Vigilant and Protect Yourself
The rise of sophisticated scams like this underscores the need for crypto professionals to stay vigilant. Scammers are constantly refining their tactics to make their schemes more convincing and harder to detect.
For those in the crypto space, it’s critical to always be cautious when interacting with unknown parties or downloading files from unfamiliar sources. Wiping your device and using up-to-date security software are essential steps in protecting yourself from these types of cyberattacks.
