Crypto-Stealing Malware Spread Through Fake Job Offers - 1

Image by Chris Montgomery, from Unspalsh

Crypto-Stealing Malware Spread Through Fake Job Offers

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Crypto hackers have reportedly developed a clever method to deceive victims into downloading harmful malware that can give them access to the victim’s computer, allowing them to drain wallets or cause other serious damage.

In a Rush? Here are the Quick Facts!

  • Crypto hackers use fake job offers to distribute malware that drains wallets.
  • Victims are targeted through LinkedIn, freelancer sites, Telegram, and Discord.
  • Malware is activated via a fake video interview link and camera access request.

The warning, first issued by Taylor “Tay” Monahan, a security expert and researcher from MetaMask—the most popular Ethereum (ETH) wallet—reveals a growing trend in cybercrime, as reported by Cybernews .

🚨 Heads up all—some dudes have a slick, new way of dropping some nasty malware. Feels infostealer-y on the surface but…its not.🫠 It’ll really, deeply rekt you. Pls share this w/ your friends, devs, and multisig signers. Everyone needs to be careful + stay skeptical. 🙏 pic.twitter.com/KRRWGL3GDo — Tay 💖 (@tayvano_) December 28, 2024

Monahan explained that the scam begins when a fake recruiter contacts potential victims with enticing job offers. These recruiters claim to represent companies like Kraken, MEXC, Gemini, or Meta, targeting even those not actively job hunting, according to Cybernews.

The malicious messages are mainly spread via LinkedIn but are also circulating through freelancer and job websites, as well as messaging apps like Telegram and Discord.

“Eventually, after some back-and-forth, they’ll drop a link to continue the process. The site – ‘Willo | Video Interviewing’ – is clean. It feels like something a crypto co/startup would use,” Monahan said, reported Cybernews.

The link leads to a page where the victim is prompted to answer job interview questions.

The CoinTelegraph notes that the written interview included questions such as which crypto trends the victim believes will be most significant in the coming year, as well as how a business development representative should expand a crypto firm’s partnerships in Southeast Asia or Latin America on a “limited budget.”

The malicious actor first bombards the interviewee with several long-response questions, followed by one final question that requires a video recording . However, victims will encounter an issue when attempting to grant microphone and camera access, and are told there’s a cache problem. They are then given instructions on how to “fix” it .

Monahan explains that once the victim follows the instructions, Chrome will prompt them to update or restart to “fix the issue.” However, this does not resolve anything and actually exposes the victim to further harm, as noted by Bitget .

The scam targets individuals seeking business development roles, though technical and non-technical positions, including trading and analyst jobs, are also advertised. The pay for these positions is typically high, offering their target a $200,000 to $350,000 salary, making the offers even more enticing, as reported by CoinTelegraph.

Monahan emphasized the severity of the attack, advising anyone who falls victim to it to immediately wipe their computer, especially if their wallets remain untouched, as reported by Cybernews. Experts are urging job seekers to be cautious of unsolicited job offers , particularly those requesting video recordings or asking for access to personal devices.

Hackers Exploit Vulnerability In 15,000 Industrial Routers Worldwide - 2

Image by Thomas Jensen, from Unsplash

Hackers Exploit Vulnerability In 15,000 Industrial Routers Worldwide

  • Written by Kiara Fabbri Former Tech News Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Hackers are targeting a serious security flaw in Four-Faith industrial routers made in China.

In a Rush? Here are the Quick Facts!

  • The vulnerability allows attackers to gain unauthorized control over affected routers remotely.
  • Hackers use default credentials to execute reverse shells, compromising around 15,000 devices.
  • Vulnerability links to Mirai malware, responsible for over 33% of IoT malware attacks recently.

The issue, identified as CVE-2024-12856 , affects the F3x24 and F3x36 models. It allows attackers to take control of the routers remotely by exploiting their default login credentials, putting thousands of devices at risk. Security researchers at VulnCheck reported the problem.

VulnCheck Chief Technology Officer Jacob Baines reported that his team detected the same user agent mentioned in a November blog by DucklingStudio , which attempted to exploit the vulnerability to deploy a different malware payload. Baines also shared a video demonstrating how the flaw can be exploited.

Gov Security Info explains that Four-Faith routers are commonly used in industries requiring remote monitoring and control. Typical customers include factories, manufacturing plants, industrial automation systems, power grids, renewable energy facilities, water utilities, and transportation companies.

These routers support real-time data transmission for tasks like fleet management and vehicle tracking. Researchers estimate that around 15,000 devices accessible online are vulnerable to the attack, based on a Censys report.

The exploitation allows attackers to execute a reverse shell, giving them unauthorized control of the routers. In a reverse shell attack, attackers exploit vulnerabilities, connecting victim machines to their server, enabling remote control, data theft, malware deployment, and access to secure networks through command-line instructions, as noted by CheckPoint .

Cyberscoop reports that the vulnerability may be tied to a variant of Mirai, the notorious malware and botnet targeting Internet of Things (IoT) devices. Mirai, first detected in 2016 and originally developed by teenagers to create botnets, remains a dominant threat to IoT devices globally.

Zscaler data shows Mirai accounted for over a third of IoT malware attacks between June 2023 and May 2024, far surpassing other malware families. Additionally, more than 75% of blocked IoT transactions during this period were associated with Mirai’s malicious code, as reported by Cyberscoop.

According to Gov Security Info, Four-Faith was informed of the vulnerability on December 20 under VulnCheck’s responsible disclosure policy. Details about patches or firmware updates are currently unavailable.

Researchers recommend that users of affected router models change default credentials, restrict network exposure, and monitor device activity closely.