Fake Job Scam on LinkedIn: Cybercriminals Using Video Call App to Steal Data

Cybercriminals are now exploiting job seekers by posting fake job listings on LinkedIn and other platforms. These scams are particularly targeting professionals in the Web3 and cryptocurrency space. A new report has uncovered how scammers trick individuals into downloading a malicious video calling app, GrassCall, which is used to steal sensitive data, including bank details and cryptocurrency wallet information.

How the Scam Works

A report by BleepingComputer reveals that cybercriminals, under the guise of fake companies, are setting up fraudulent job postings on LinkedIn, WellFound, and CryptoJobsList. The criminals behind this operation belong to a Russian-speaking cybercrime group known as “Crazy Evil.” A subgroup within this organization, called “Kevland,” has been orchestrating the scam.

These scammers created fake online companies like “ChainSeeker.io,” complete with a professional website and social media presence, including fabricated employee profiles. Unsuspecting job seekers, believing they were applying for legitimate roles, were invited to virtual interviews. They were then instructed to contact the company’s chief marketing officer via Telegram, where they were asked to download the GrassCall video conferencing app for the interview.

GrassCall: A Malicious Tool for Cyber Theft

Once installed, GrassCall infects both Mac and Windows devices by deploying different types of malware.

• On Windows: It installs a Remote Access Trojan (RAT) and an info-stealer called Rhadamanthys, which can access saved passwords, authentication cookies, and other sensitive files.
• On Mac: It installs Atomic Stealer (AMOS), specifically designed to extract cryptocurrency wallet details, browser passwords, and other financial information.

After successfully infecting the victim’s device, the malware scans for important data, particularly crypto-related files and login credentials. The stolen information is then used by scammers to drain cryptocurrency wallets and bank accounts.

Scam Exposed, But New Threats Could Arise

Cybersecurity researcher g0njxa reported that the scammers even shared their earnings on Telegram, showcasing how much they made from each victim. Following the exposure of the scam, CryptoJobsList has removed the fraudulent job listings, and the GrassCall website has been taken down. However, experts warn that similar scams could reappear, as cybercriminals continue to exploit the growing demand for Web3 and crypto-related jobs.

How to Protect Yourself from Job Scams

1. Verify Company Details – Research the company thoroughly before applying. Check its official website and cross-reference employee profiles on LinkedIn.
2. Be Cautious of Telegram & Unofficial Communication Channels – Legitimate companies usually don’t schedule interviews via Telegram or WhatsApp.
3. Avoid Downloading Unknown Software – Always use trusted video call platforms like Zoom, Microsoft Teams, or Google Meet for interviews.
4. Check URLs and Email Domains – Scammers often use slightly altered versions of well-known websites.
5. Use Cybersecurity Tools – Keep your devices protected with antivirus software and two-factor authentication (2FA).

As cyber scams become more sophisticated, job seekers must remain vigilant. Always double-check job listings, and never install unknown applications without verifying their legitimacy.