Social engineering scammers are reportedly using fake job offers and a new malware-laden app called “GrassCall” to install info-stealing software that hunts for crypto wallets to drain.
BleepingComputer reported on Feb. 26 that the actors behind the scam have now abandoned the scheme, with websites and LinkedIn accounts tied to the scam taken down as the hundreds of people targeted have spoken out — some who said they had their crypto wallets raided after downloading GrassCall.
The Russia-based cybercrime group “Crazy Evil” is reportedly behind the scam, which consists of social engineering specialists, commonly known as a “traffer team,” who have a focus on stealing crypto.
The cybersecurity firm Recorded Future reported in January that it linked “over ten active scams on social media” to Crazy Evil, which it said “explicitly victimizes the cryptocurrency space with bespoke spearphishing lures.”
One of Crazy Evil’s scams, called Gatherum, appears to be an earlier iteration of GrassCall as it masqueraded as a similar meeting app with the same logo and branding.
Cointelegraph found an X account named “VibeCall” with the same logo and branding as Gatherum and GrassCall. It appears the account became active in mid-February despite its June 2022 creation date.
A side-by-side comparison of Gatherum and VibeCall’s X accounts. Source: X
Crazy Evil’s latest scheme reportedly involved a fake crypto firm called “Chain Seeker,” which had various social media accounts that created job listings on LinkedIn and on popular Web3 job search sites CryptoJobsList and WellFound.
Those who applied for the jobs were sent an email from the firm asking them to contact its marketing chief on Telegram, who would then ask the target to download the malicious GrassCall app off a website under the group’s control, which has now been scrubbed.
Source: Choy
Dozens of X and LinkedIn posts from job seekers seen by Cointelegraph recounted applying for a role at Chain Seeker only to be sent the malicious link.
“This scam was extremely well-orchestrated — they had a website, LinkedIn and X profiles, and employees listed,” LinkedIn user Cristian Ghita posted to the platform on Feb. 26 after applying for a role with the firm.
“It looked legit from almost all angles. Even the video-conferencing tool had an almost believable online presence,” Ghita added.
Related: Hackers are making fake GitHub projects to steal crypto: Kaspersky
Job ads posted by Chain Seeker had mostly been taken down by various job board sites, except for one still active on LinkedIn at the time of writing.
A job offer from Chain Seeker promises up to $150,000 a year salary for a business development manager role. Source: LinkedIn
A website for Chain Seeker lists a chief financial officer called Isabel Olmedo and an HR manager called Adriano Cattaneo, both of whose LinkedIn pages had been wiped. An account under the name of Artjoms Dzalbs was still active and noted itself as the firm’s CEO.
LinkedIn user Riley Robbins found that the supposed Chain Seeker executive team used the likeness of various online personalities. Source: Riley Robbins/Linkedin
In its report last month, Recorded Future warned crypto and non-fungible token (NFT) traders and gaming professionals “are prime targets.”
Many users on X and LinkedIn advised those who believe they’re impacted by the GrassCall malware to use an uninfected device to change passwords and move their crypto to fresh wallets as a precaution.
Magazine: Fake Rabby Wallet scam linked to Dubai crypto CEO and many more victims