Good day everyone,
I hope you are all having a good day, welcome to CryptoGod-1's blog on all things crypto. In this post I will be looking at a recent scam involving Zoom links which are targeting cryptocurrency users.
Fake Zoom Link Targets Crypto Users
Blockchain security firm SlowMist have warned of a rise in 'Fake Zoom' crypto scams which has led to million in cryptocurrency being stolen from user. It is achieved by making use of phishing links which mimic legitimate meetings and then distribute malware. This sophisticated attacks is often disguised as fake Zoom meeting links and the scam was first identified back on the 14th of November. The phishing campaign has been linked to Russian-speaking hackers and the stolen funds have been linked to a number of cryptocurrency platforms, including Binanace, Gate.io, and Bybit.
https://x.com/SlowMist_Team/status/1872526964789219563 The investigation by SlowMist revealed that the attackers make use of the domain “app[.]us4zoom[.]us” to impersonate Zoom’s official web address. They also ensure that the site closely mirrors the legitimate Zoom meeting interface, which helps to trick users into clicking the “Launch Meeting” button.
When a user clicks on the launch meeting button the site downloads a malicious folder which is titled "ZoomApp_v.3.14.dmg." When a user executes this folder it will requested for the user to enter their system password. This in turn grants the malware permission throughout the machine. SlowMist also uncovered a hidden executable file named “.ZoomApp,” which was embedded within the installation package. The file acts as a Trojan, which collects sensitive user data which includes system information, browser cookies, cryptocurrency wallet data, and KeyChain passwords.
Once the data is harvested it is then transmitted to a server controlled by the hackers. It has an IP address of 141.98.9.20 and was traced to the Netherlands. Threat intelligence services have flagged this IP as malicious. The investigation noted how the malware employed osascript scripts to bypass macOS security measures. This allowed the hackers to steal wallet mnemonic phrases along with private keys, meaning that users unknowingly had lost the security of their crypto wallets. The attackers bypassed traditional security defenses by using social engineering tactics and exploiting trusted software.
SlowMist made use of their on-chain tracking tool, which is known as MistTrack, to trace the movement of the stolen crypto assets. They discovered that the hackers used a wallet address of 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac, and this had profited over $1 million from their activities. Among the stolen assets were USD0++ and MORPHO tokens, which were subsequently swapped for 296 ETH. It was also revealed that the hackers had received a small amount of Ethereum from 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e. It is believed this was to help provide for transaction fees for the phishing operations. It has also distributed small amounts of ETH to 8,800 other wallets, signalling that it may well be a transactions fee platform.
Some of the stolen funds were sent to centralised exchanges such as MEXC and ChangeNOW, while a further 296.45 ETH was sent to another wallet with an address of 0xdfe7c22a382600dcffdde2c51aaa73d788ebae95. It is believed this address has been involved in multiple transactions across different blockchains, with a current balance of 32.81 ETH. Some of these transfers involved addresses flagged by MistTrack as linked to known phishing entities “Angel Drainer” and “Theft.”
Therefore it is advised to exercise caution and verify meeting links before clicking.
Have a great day.
Peace. CryptoGod-1.
Referral Links and Follow Me:
