simge_kurulum_ios_web simge_kurulum_ios_web simge_yükle_android_web

How did a fake zoom link successfully steal 1M funds?

Analiz1 saat önce更新 6086cf...
4 0

When I woke up in the morning, I saw several WeChat groups spreading the news that @lsp 8940 encountered a fake zoom link and 1M USD was stolen ( https://x.com/lsp8940/status/1871350801270296709 ). This reminded me that I encountered a similar thing on the 18th. At that time, a foreigner sent me a private message asking for cooperation. We communicated several times and then made an appointment to chat in a zoom meeting at 9 pm. When the time came, the foreigner sent me a link to a conference room, as shown below

https://app.us4zoom.us/j/8083344643?pwd= seyuvstpldar 6ugeEtcGGury 936 qBCQr #success

(Important reminder, this is a phishing link, don鈥檛 click! Don鈥檛 click! Don鈥檛 click! )

I felt a little strange when I saw this link. The domain name was us4zoom , which looked a bit irregular, but I had never used zoom before so I was not sure. Then I searched on Google and perplexity and found that the official website was zoom.us, which did not match the domain name given by the scammer.

The link provided by the scammer will download an installation package. The downloaded file is a bit small and is much smaller than the normal installation package size, as shown below

How did a fake zoom link successfully steal 1M funds?

When you open the fake zoom installation package, you will find an obvious problem. Normal software installation basically asks you to click Continue all the way, and then the installation is completed. For example, the interface of the real zoom installation package is as shown in the figure

How did a fake zoom link successfully steal 1M funds?The installation interface of the fake zoom installation package is as follows

How did a fake zoom link successfully steal 1M funds?

What the hell is this? Why do they ask us to drag the Zoom.file file into the terminal to execute it? This is obviously a problem. I opened Zoom.file with a text editor and found that it was a bash script, but I couldn鈥檛 understand the content at all. It looked like it was encrypted.

How did a fake zoom link successfully steal 1M funds?But I was not afraid. I threw the entire content to gpt and asked gpt to help me analyze the script.

How did a fake zoom link successfully steal 1M funds?

Gpt told me that this code was hidden by base 64 encoding. After decoding, I found that the main function of this script is to copy the Trojan file .ZoomApp from the installation package to the /tmp directory for execution. Because this Trojan file is hidden, it is not visible by default.

How did a fake zoom link successfully steal 1M funds?The analysis of this Trojan file is beyond my ability, and gpt cannot provide practical help. This part of the analysis requires the relay of professional security personnel. However, it can be speculated that this Trojan will scan key files for upload, such as the local files of the browser plug-in wallet. I remember that in 21 years, the private key can be recovered from the local files of metamask, provided that the set password is known or brute force cracking is used.

We can draw several conclusions from this incident:

1. The scammers are casting a wide net. @cutepanda web3 also tweeted today that he encountered the same scam.

2. This is the same scammer. From @lsp 8940 鈥檚 replay tweet, we can see that the fake zoom meeting links we both received are exactly the same.

https://x.com/lsp8940/status/1871426071499100630

3. Be cautious about private messages from strangers on Twitter, especially if the stranger has never tweeted and your mutual friends don鈥檛 follow him.

4. Try to set the browser plug-in wallet password to be more complex, so that when the browser plug-in file is leaked, it will increase the difficulty of cracking.

Safety is no small matter, I hope everyone will avoid falling into traps.

This article is sourced from the internet: How did a fake zoom link successfully steal 1M funds?

Related: LBank Labs 2024 Meme Track Research: Breaking the Circle and Rebirth, From Controversial Narratives to the 100 Billion T

introduction As the crypto market matures and the industry landscape continues to evolve, Meme Coin has developed into an emerging market with a market value of over $100 billion, relying on its unique value capture model and community consensus. Against the backdrop of market volatility and a tightening regulatory environment, its resilience and vitality have triggered in-depth reflections on its core value in the industry. In order to fully grasp the development context and future trends of the Meme track, LBank Labs, MetaEra and Bee Network jointly released the 2024 Meme Track Research: Breaking the Circle and Rebirth, From Controversial Narratives to the 100 Billion Track research report. This in-depth research report, through a systematic analysis of market size, ecological pattern, infrastructure construction, exchange layout and other dimensions, presents in…

© 版权声明

Amerika Birleşik Devletleri