The attackers impersonate a former CoinMarketCap contributor, leveraging their real name and photo, which are still active on the company’s website, to establish credibility. They initiate contact via a sophisticated email from a non-resolving domain, inviting the target to a Zoom interview. The message, complete with CoinMarketCap branding, directs the target to a Calendly link to schedule the call. This initial deception is carefully crafted to appear legitimate and bypasses typical security suspicions.
During the Zoom call, the attackers introduce themselves and, after some small talk, engineer a situation to gain remote control. One of the impersonators, under the guise of technical difficulty with their “note-taking app,” asks the victim to change their Zoom language to Polish. This seemingly innocent request serves to disorient the victim and provide an excuse to ask about their operating system, which is part of the process of “helping” them change the language.
The interview then resumes, but minutes later, a pop-up in Polish appears, prompting the victim to grant a “remote participant” control of their screen. This is a standard Zoom feature, but the attackers have manipulated the situation to make it seem like a normal application interaction. Unsuspecting targets, distracted by the ongoing “interview” and the foreign language prompt, may accept the request without realizing the danger.
Once remote control is granted, the attackers have full access to the victim’s keyboard and mouse. This allows them to quickly execute malicious commands, such as deploying malware, exfiltrating sensitive files, or stealing login credentials and crypto wallets. The entire attack is executed within seconds, leveraging the trust placed in a familiar platform like Zoom and a well-known brand like CoinMarketCap. The campaign highlights a growing trend of highly targeted, socially engineered attacks that exploit human trust and common communication tools.
Reference:
