Currencies38120
Market Cap$ 2.25T+1.29%
24h Spot Volume$ 33.72B-10.2%
DominanceBTC56.31%+0.58%ETH9.36%-0.60%
ETH Gas0.07 Gwei
Cryptorank
/

A new hack in town – Crypto users warned of phishing attacks disguised as Zoom meeting links


A new hack in town – Crypto users warned of phishing attacks disguised as Zoom meeting links

Share:

Predictions Markets

See what traders are focused on

View analytics →
Prediction Banner

SlowMist has brought attention to a new phishing scam targeting cryptocurrency users. The scam disguises itself as fake Zoom meetings to distribute malware that steals sensitive data. It involves counterfeit Zoom links that trick victims into downloading malicious files aimed at extracting cryptocurrency assets.

According to blockchain security platform SlowMist, the attackers behind the scam used a sophisticated phishing technique involving a domain that mimicked the legitimate Zoom domain. The phishing website, “app[.]us4zoom[.]us,” looks very similar to the genuine Zoom website interface. 

Victims are prompted to click a “Launch Meeting” button, which they expect to take them to a Zoom session. However, instead of opening the Zoom application, the button initiates the download of a malicious file titled “ZoomApp_v.3.14.dmg.”

Malware execution and data theft ploy uncovered 

Once downloaded, the malicious file triggers a script that requests the user’s system password. The script executes a hidden executable named “.ZoomApp,” which is designed to access and collect sensitive system information, including browser cookies, KeyChain data, and cryptocurrency wallet credentials. 

Per security experts, the malware is specifically tailored to target cryptocurrency users, with the intention of stealing private keys and other crucial wallet data. The downloaded package, once installed, will run a script called “ZoomApp.file.”

Upon execution, the script prompts users to enter their system password, unknowingly giving hackers access to sensitive data. 

Crypto hacks through Zoom links – Source: SlowMist

After decrypting the data, SlowMist revealed that the script ultimately executes an osascript, which transfers collected information to the attackers’ backend systems.

SlowMist also traced the phishing site’s creation to 27 days ago, suspecting the involvement of Russian hackers. These hackers have been using Telegram’s API to monitor activity on the phishing site, tracking whether anyone clicked the download link. According to the security company’s analysis, the hackers began targeting victims as early as November 14.

Stolen funds moved through several exchanges 

SlowMist used the on-chain tracking tool MistTrack to investigate the movements of stolen funds. The hacker’s address, identified as 0x9fd15727f43ebffd0af6fecf6e01a810348ee6ac, has reportedly profited more than $1 million in cryptocurrency, including USD0++, MORPHO, and ETH.

In a detailed analysis, MistTrack revealed that the hacker address had exchanged USD0++ and MORPHO for 296 ETH.

Stolen crypto movements tracked by MistTrack. Source: MistTrack

Further investigation showed that the hacker’s address received small ETH transfers from another address, 0xb01caea8c6c47bbf4f4b4c5080ca642043359c2e, which appeared to be responsible for providing transaction fees for the hacker’s scheme. 

The address has been found to transfer small amounts of ETH to nearly 8,800 other addresses, suggesting it may be part of a larger platform dedicated to funding transaction fees for illicit activities.

ETH transfers between addresses linked to the Zoom link scam – Source: SlowMist

Once the stolen funds were gathered, they were funneled through various platforms. Binance, Gate.io, Bybit, and MEXC were among the exchanges that received the stolen cryptocurrency. The funds were then consolidated into a different address, with transactions flowing into several exchanges, including FixedFloat and Binance. There, the stolen funds were converted into Tether (USDT) and other cryptocurrencies.

The criminals behind this scheme have managed to evade direct capture by using complex methods to launder and convert their illicit gains into widely-used cryptocurrencies. SlowMist warned crypto enthusiaststhat the phishing site and associated addresses may continue to target unsuspecting cryptocurrency users.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan

Read the article at CryptoPolitan

In This News

Coins

$ 1.75K

+0.69%

$ 0.99917

0%

$ 0.00727

+2.25%

$ 0.00...361


Predictions Markets

See what traders are focused on

View analytics →
Prediction Banner

Share:

In This News

Coins

$ 1.75K

+0.69%

$ 0.99917

0%

$ 0.00727

+2.25%

$ 0.00...361


Predictions Markets

See what traders are focused on

View analytics →
Prediction Banner

Share:

Read More

Russia’s legal crypto on-ramp to arrive with a state-owned bank holding the keys

Russia’s legal crypto on-ramp to arrive with a state-owned bank holding the keys

The reported December launch matters because Russia’s new rules may make custody, lim...
Private Blockchains Are Bigger Bitcoin Risk Than Strategy BTC Sales, JPMorgan

Private Blockchains Are Bigger Bitcoin Risk Than Strategy BTC Sales, JPMorgan

JPMorgan analysts have said Bitcoin’s main long-term risk may not come from Strategy ...