A new crypto-malware is targeting users of cloud-based video conferencing platform Zoom. The malware redirects users to a malicious website to steal their crypto assets.
Spotted by cybersecurity engineer “NFT_Dreww” on July 22, the malicious website closely mimics the original Zoom video call link.
Begins with social engineering
The attack initially starts with the scammer approaching the victim and trying to trick them into joining a video call. NFT_Dreww says common tactics involve the attacker offering angel investing opportunities or asking the victim to join as a guest on X spaces.
The scammers’ X profiles are designed to make them look like average crypto market participants. To look legitimate, they often adorn NFT profile pictures and claim to be related to various projects.
The scam operates by creating fake Zoom URLs like *.us50web[.]us, which look similar to legitimate ones like usXXweb.zoom[.]us. They include real meeting IDs and passwords in the fake URLs to make them appear authentic.
NFT_Dreww stressed that the “-” in the URL is part of the top-level domain, not a sub-domain, which misleads many users.
Difference between original Zoom domain vs malicious domain. Source: NFT_Dreww on X
If a user agrees to join, the attackers insist on only using Zoom, claiming that their team is already on call.
How it works
Once the link is clicked, the user is redirected to a malicious but identical-looking Zoom page with a loading screen that looks stuck.
There, a download is triggered for a file dubbed “ZoomInstallerFull.exe,” and the user is asked to install the file. The installation process looks genuine, even showing a terms and conditions page.
When installed, the user is sent back to the malicious loading screen, which then redirects users to a legitimate Zoom URL. Meanwhile, the malware has already been installed on the victim’s system.
Initially, the malware adds itself to the “Windows Defender exclusion list,” which prevents the security software from blocking it. Subsequently, it extracts user information from the system. The entire process is executed while the user is stuck at the fake Zoom loading page.
According to the security expert, the scam has already drained over $300,000 worth of funds from several users. He urged users to be careful when clicking on links received on social media and avoid downloading any software.
Social engineering scams become more sophisticated as the crypto sector continues to develop. On July 2, scammers hacked the Ethereum Foundation’s official email address and sent out phishing emails to more than 35,000 users.
Scams of this sort have resulted in over $300 million worth of cryptocurrency assets stolen from EVM chains in the first half of 2024 alone.
The post Crypto scammers use fake Zoom malware to steal funds appeared first on Invezz