Crypto scammers use fake job interviews to enable backdoor malware attacks

A sophisticated attack is targeting web3 professionals, tricking them into running malicious code on their systems during fake interviews as part of a lucrative offer from crypto scammers disguised as recruiters.

On Dec. 28, on-chain investigator Taylor Monahan flagged a new scheme being leveraged by bad actors who claim to be recruiters for prominent crypto firms to approach targets with lucrative job offers on platforms like LinkedIn, freelancing platforms, Telegram, etc.

Once the victim is interested, they are redirected to a video interviewing platform dubbed “Willo | Video Interviewing,” which isn’t malicious in itself but is designed to make the entire scheme look convincing to the victims.

As part of the process, victims are initially asked standard industry-related questions, such as their views on significant crypto trends over the next 12 months. These questions help build trust and make the interaction seem legitimate. 

However, the real attack unfolds during the final question, which requires recording it on video. When trying to set up the video recording process, victims encounter a technical issue with their microphone or camera.

This is when the real attack plays out, as the website presents malicious troubleshooting steps masked as a solution to the issue. 

According to Monahan, if a user follows the steps, which in some cases involve executing system-level commands depending on their operating systems, it grants attackers backdoor access to their devices.

“It allows them to do anything on your device. It’s not really general purpose stealer, it’s general purpose access. Ultimately they’ll rekt you via whatever means are required,” Monahan wrote.

This access could potentially allow malicious actors to bypass security measures, install malware, monitor activities, steal sensitive data, or drain cryptocurrency wallets without the victim’s knowledge, based on typical outcomes observed in similar attacks.

Monahan advised crypto users to avoid running unfamiliar code and recommended those who may have been exposed to such attacks wipe their devices entirely to prevent further compromise.

The attack deviates from the usual tactics seen in similar job recruitment scams. For instance, cybersecurity firm Cado Security Labs, earlier this month, uncovered a scheme involving a fake meeting application that injected malware, enabling attackers to drain cryptocurrency wallets and steal browser-stored credentials.

Similarly, last year, crypto.news reported an incident where scam recruiters targeted blockchain developers on Upwork, instructing them to download and debug malicious npm packages hosted on a GitHub repository. Once executed, these packages deployed scripts granting attackers remote access to victims’ devices.