AI-Powered Crypto Scam Targets Web3 Workers with Fake Meeting Apps

Crypto-stealing scam targets Web3 workers with fake meeting apps

Web3 workers are being targeted by a campaign that uses fake meeting apps to inject malware and steal credentials to websites, apps and crypto wallets, Cado Security Labs warned. Scammers have been using artificial intelligence to generate and fill out websites and social media accounts to appear as legitimate companies before contacting potential targets to prompt them to download a meeting app, Cado's threat research lead Tara Gould wrote in a Dec. 6 report. The app is called "Meeten" but it's currently going by the name "Meetio" and regularly changes names. In the past, it has used Clusee.com, Cuesee, Meeten.gg, Meeten.us and Meetone.gg. The app contains a Realst info stealer and, once downloaded, will hunt for sensitive items such as a Telegram login, banking card details and information on crypto wallets to send back to the attackers. The stealer can also search for browser cookies and autofill credentials from applications like Google Chrome and Mircosoft Edge, along with info on Ledger, Trezor and Binance Wallets. The scheme can involve social engineering and spoofing. One user reported being contacted on Telegram by someone they knew who wanted to discuss a business opportunity, which was later outed as an impersonator. "Even more interestingly, the scammer sent an investment presentation from the target's company to him, indicating a sophisticated and targeted scam," Gould said. Others had reported "being on calls related to Web3 work, downloading the software and having their cryptocurrency stolen," Gould added. To help gain credibility, the scammers set up a company website with AI-generated blogs, product content and accompanying social media accounts, including X and Medium. "While much of the recent focus has been on the potential of AI to create malware, threat actors are increasingly using AI to generate content for their campaigns," Gould said. "Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams and makes it more difficult to detect suspicious websites." The fake websites where users are prompted to download the malware-riddled software also contain Javascript to steal crypto stored in web browsers, even before installing any malware. Related: Crypto phishing scams to rise during holiday shopping season -- Cyvers The scammers created both a macOS and Windows variant. Gould says the scheme has been active for about four months. Other scammers have also been actively using these tactics. In August, onchain sleuth ZackXBT said he found 21 developers, alleged to be North Koreans, working on various crypto projects using fake identities. In September, the FBI issued a warning about North Korean hackers targeting crypto companies and decentralized finance projects with malware disguised as an employment offer. Magazine: BTC hits $100K, Trump taps Paul Atkins for SEC chair, and more: Hodler's Digest, Dec. 1 - 7

Fake video conferencing app is stealing passwords and spreading malware -- how to stay safe

Scammers are using AI to make their shady websites appear legitimate Cado Security Labs has identified a Realst info-stealer that uses a fake meeting app to steal crypto wallets and inject malware. The scammers are tricking web3 workers into downloading an app, which has been called Meeten, Meetio, Meeten.gg, Meeten.us, Meetone.gg, Cluesee.com and Cuesee -- it changes names frequently. The threat actors use AI to generate and fill out blogs, websites and social media accounts on X and Medium to appear as legitimate companies before contacting targets and prompting them to download the app. Once downloaded, the malware will search out sensitive information, including banking card details, Telegram logins, and information on crypto wallets - specifically Ledger, Trezor, Phantom and Binance wallets, which it sends back to the attackers. It can also search for browser cookies and autofill credentials from Google Chrome, Microsoft Edge and Opera, Brave, Arc, CocCoc and Vivaldi. One user was contacted by someone impersonating an acquaintance who then sent an investment presentation from the target's company to the target; others have reported being on calls related to web3 works and being instructed to download the software. Increasingly, AI is being used to generate content for malware campaigns. According to Cado Security Labs, threat research lead Tara Gould, "Using AI enables threat actors to quickly create realistic website content that adds legitimacy to their scams and makes it more difficult to detect suspicious websites." These fake websites, which prompt victims to download malware instead of legitimate software, also contain JavaScript that can steal crypto wallets stored in web browsers - and that's before it installs malware. According to Paul Scott, Solutions Engineer at Cado Security, "If a user has their wallet unlocked in their browser and visit a malicious website, the JavaScript on the site automatically checks if there are unlocked wallets present and will attempt to transfer crypto coins to a wallet the attacker controls." This campaign has been active for at least four months, has both macOS and Windows variants and appears to be a variant of the Realst infostealer first discovered in 2023 by security researcher iamdeadlyz. The researchers advise users to be careful when being approached about business opportunities -- especially through Telegram. Even if the contact appears to be an existing, known contact, it is essential to verify the account. Always be diligent when opening links. Never open anything from someone you don't know or are not expecting. If you receive a link, contact the sender and ask them if they've sent it and why. If they've sent something in Telegram and usually contact you in Slack, contact them on the platform where you typically discuss business. Make sure you're using one of the best antivirus software and that it's current and up-to-date. Use a secure browser if one is available, too.