North Korean criminals are using phoney Zoom calls to steal people’s personal data, Microsoft has told Metro.
The cyber-crooks, called Sapphire Sleet, target Apple computer users and gain a user’s trust by pretending to be a job recruiter on LinkedIn.
They even create fake companies, job ads, and social media content to make the scam look like a real hiring attempt.
This scheme, called social engineering, sees the ‘recruiter’ reach out to unsuspecting financial professionals with a job – often with a big salary.
But when they ask the victim to hop on Zoom for a job interview, no one will be on the other side to greet them.
Instead, joining the call infects the person’s MacBook or iMac with malware, shady software that allows Sapphire Sleet to take personal data.
Microsoft says that the scam is less about targeting the victim specifically.
‘The actor is likely simply conducting espionage or opportunistic data collection from any successfully compromised system,’ the tech giant says.
‘Personal data may not even matter in that context.’
(By ‘actor’, Microsoft doesn’t mean the Hollywood kind. Actors, also called threat actors, refer to the entity that carries out security breaches – they might not even have any real hacking skills.)
What data are they stealing?
- Telegram messaging data
- browser data
- MacOS keychain
- cryptocurrency wallets
- Apple Notes
- Systems logs
Microsoft said in a blog post that it reached out to Apple, which added ‘platform-level protections’ to help detect and block the malware.
The updates were sent out automatically, meaning users need not update manually.
Microsoft wrote: ‘We thank the Apple security team for their collaboration in addressing this activity and encourage macOS users to keep their devices up to date with the latest security protections.’
When approached for comment, Zoom directed Metro to its Zoom Safety Center and Zoom Trust Center, which detail the video conference app’s privacy and security tools.
What is Sapphire Sleet?
Sapphire Sleet, also called APT38, is a ‘state-sponsored threat actor’, so are directly employed by a government or indirectly funded by one.
APT38 criminals work almost like spies, experts say, spending weeks carrying out reconnaissance before making their move.
They’ve targeted banks, casinos and cryptocurrency exchanges across 38 countries since 2014, according to the threat actor database ATT&CK.
Members of the shadowy syndicate stole nearly £60million from Bangladesh’s central bank in 2016.
They’re affiliated with the Lazarus Group, an infamous North Korean cyber-gang responsible for the 2014 hack on Sony Pictures, which saw employee emails and unreleased films stolen.
‘As organisations improve technical controls to protect against cyberattacks, actors often return to a consistent point of weakness for any organisation – the humans,’ Microsoft says.
‘Many of the traditional social engineering techniques have remained surprisingly effective (phishing emails, helpdesk calls, fake login pages) and increasingly more complex.’
These more complex cyber-scams include ClickFix, which sees users click on a fake pop-up on a webpage that then installs malware.
‘Adversary-in-the-Middle’ attacks, meanwhile, are among the most dangerous phishing techniques in a scammer’s playbook.
They see attackers essentially eavesdrop on a victim while they’re using a web application to steal passwords or credit card information.
Cybercriminals do this by exploiting security holes in tech like Wi-Fi hotspots to get a peek at the victim, or trick them into clicking a shady link.
‘These actors aren’t looking for one specific piece of data. They’re looking for access,’ Microsoft adds.
‘Once they’re in, they take as much as they can and sort out how to use it later.
As complex and sophisticated as these attacks sound, Microsoft says they work because they look, well, routine and boring.
No one will think twice about the job listing a recruiter has sent them, especially if it doesn’t even look suspicious.
‘At the end of the day, this is about scale,’ Microsoft adds.
‘If a technique works even a small percentage of the time, actors will keep using it and refining it until it works better.’
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.