Crypto scammers use fake job interviews to enable backdoor malware attacks

A sophisticated attack targets Web3 professionals, tricking them into running malicious code on their systems during fake interviews in a lucrative bid from crypto scammers disguised as recruiters.

On December 28, chain investigator Taylor Monahan reported a new system operated by bad actors who pretend to be recruiters for prominent crypto companies to approach targets with lucrative job offers on platforms like LinkedIn, freelance platforms, Telegram, etc.

Once the victim is interested, they are redirected to a video interview platform called “Willo | Video Interviewing,” which is not malicious in itself but is designed to make the entire project appear convincing to victims.

As part of the process, victims are first asked standard industry-related questions, such as their views on important crypto trends over the next 12 months. These questions help build trust and make the interaction seem legitimate.

However, the real attack comes during the final question, which requires it to be recorded on video. When trying to set up the video recording process, victims encounter a technical problem with their microphone or camera.

This is when the real attack happens, as the website presents malicious troubleshooting steps masked as a solution to the problem.

According to Monahan, if a user follows the steps, which in some cases involve running system-level commands based on their operating system, it allows attackers to backdoor access their devices.

“This allows them to do anything on your device. It’s not really a general purpose thief, it’s a general purpose access. Ultimately, they will respond to you by any means necessary,” Monahan wrote.

This access could potentially allow malicious actors to bypass security measures, install malware, monitor activities, steal sensitive data, or empty cryptocurrency wallets without the victim’s knowledge, on the based on typical results seen in similar attacks.

Monahan advised crypto users to avoid running unknown code and recommended those who may have been exposed to such attacks to wipe their devices entirely to avoid further compromise.

The attack moves away from usual tactics seen in similar recruitment scams. For example, cybersecurity company Cado Security Labs, earlier this month, discovered a scheme involving a fake meeting app that injected malware, allowing attackers to drain cryptocurrency wallets and steal credentials stored in the browser.

Likewise, last year, crypto.news reported an incident in which fraudulent recruiters targeted blockchain developers on Upwork, asking them to download and debug malicious npm packages hosted on a GitHub repository. Once executed, these packages deployed scripts allowing attackers to remotely access victims’ devices.