Hackers targeting individuals in the cryptocurrency space are using sophisticated phishing techniques that begin with malicious links on Calendly. “The attacker impersonates an existing cryptocurrency investor and requests to schedule a video conference,” Krebs on Security reports. “However, after clicking on the meeting link provided by the scammer, users are prompted to run a script that silently installs malware on their macOS system.” From the report: A Google search for the script's text strings turned up a December 2023 blog post from crypto security firm SlowMist about a phishing attack on Telegram by North Korean state-sponsored hackers. “When project teams click on links, they encounter regional access restrictions,” SlowMist wrote. “At this point, the North Korean hacker tricks the team into downloading and running a malicious script that ‘changes their location.’ Once the project team complies, their computers are under the hacker’s control. This leads to the theft of funds.”
According to SlowMist, the North Korean phishing scam used the “Add Custom Link” feature of the Calendly meeting scheduling system to insert malicious links into event pages to launch phishing attacks. “Calendly is well integrated into the daily operations of most project teams, so these malicious links do not easily raise suspicion,” the blog post explains. “As a result, project teams could click on these malicious links and download and execute malicious code.”
Slomist said the malware downloaded by the malicious link in their case came from a North Korean hacker group called BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacker group. It is said that there is. Kaspersky Lab wrote in December 2023 that BlueNoroff is “a financially motivated attacker with close ties to Lazarus that targets banks, casinos, fintech companies, POST software and cryptocurrency businesses, and ATMs.”