Calendar Meeting Links Used To Spread Mac Malware

Hackers targeting individuals in the cryptocurrency sector are using a sophisticated phishing scheme that begins with a malicious link on Calendly. "The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call," reports Krebs on Security. "But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems." From the report: A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers. "When the project team clicks the link, they encounter a region access restriction," SlowMist wrote. "At this point, the North Korean hackers coax the team into downloading and running a 'location-modifying' malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds."

SlowMist says the North Korean phishing scams used the "Add Custom Link" feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks. "Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion," the blog post explains. "Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code."

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group. "A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs," Kaspersky wrote of BlueNoroff in Dec. 2023.

Yawn, kind of boring...

[ls671]

Yawn, kind of boring. That's what people get to put their trust in silly apps and websites. I mean, who really needs "Calendy"? I don't anyway. OTOH, it keeps Krebs on Security busy at least. The dude is doing a pretty good job at it IMHO.

Re:

[Tablizer]

Usually MS swipes Apple ideas, but this time Apple swiped the idea of MS-Office macros, along with similar consequences.

Re:

[cstacy]

Usually MS swipes Apple ideas, but this time Apple swiped the idea of MS-Office macros, along with similar consequences.

That's not what the report sounds like.

You get phished on Telegram (nothing Apple about that), they talk to you and eventually point you to some web site (nothing Apple) where you click on a link supposedly to make an appointment of some sort, but it doesn't have anything to do with your Apple Calendar or anything else Apple. It's just brings up a web page that says: our video conference is having technical issues, please download this malware and install it. Which the idiot does, and nothing apparently hap

Re:

[ls671]

So, the hack is based on exploiting Apple users who might think they are more secure because they use Apple products? I will always remember a conversation at a Christmas party back around ~2010 with a brother in law selling and managing security cameras who told me he was using exclusively Apple products because it "can't be hacked". I guess such thinking could make Apple users more vulnerable.

Re:

[NoMoreACs]

So, the hack is based on exploiting Apple users who might think they are more secure because they use Apple products? I will always remember a conversation at a Christmas party back around ~2010 with a brother in law selling and managing security cameras who told me he was using exclusively Apple products because it "can't be hacked". I guess such thinking could make Apple users more vulnerable.

Those same techniques are successfully employed every single day against Lusers of Every. Single. Platform. since the Dawn of The World Wide Web. And you know it.

So, stop the tired Anti-Apple memes, ok?

Re:

[ls671]

So, stop the tired Anti-Apple memes, ok?

Where do you see a meme in my post?

I only own an Apple iPhone 6S right now but I have had Mac computers before. I ain't into that all one side or the other way to do things in anything I do!

I use the 6S because of OS updates directly from Apple and I have 0 apps installed.

Re:

[NoMoreACs]

So, stop the tired Anti-Apple memes, ok?

Where do you see a meme in my post?

I only own an Apple iPhone 6S right now but I have had Mac computers before. I ain't into that all one side or the other way to do things in anything I do!

I use the 6S because of OS updates directly from Apple and I have 0 apps installed.

Some of my Best Friends are Macs, honest!

[Insert Eyeroll Here]

Re:

[ACForever]

Even if a apple user gets malware the only thing at risk is their screenplay while they sit all day at Starbucks writting it..

Re:

[Plumpaquatsch]

No, it's about exploiting Apple users who think they are smarter than Apple because they are Crypto Bros, so they know they can safely run an app from an unknown source that Apple warns you about. The stupid is not in being an Apple user, it's being a Crypto Bro. Are you one by chance?

Re:

[NotEmmanuelGoldstein]

... download and install malware and then run it.

Why didn't this raise a red flag? Yes, "You have to download our conference software" is fairly common. But it's a verifiable business using brand-name software. Not some stranger demanding his home-brew run beside whatever PII the user has.

As long as the internet is dumbed-down to "click on this and it goes", there will never be security.

Re:

[cstacy]

... download and install malware and then run it.

Why didn't this raise a red flag? Yes, "You have to download our conference software" is fairly common. But it's a verifiable business using brand-name software. Not some stranger demanding his home-brew run beside whatever PII the user has.

As long as the internet is dumbed-down to "click on this and it goes", there will never be security.

Brand name verifiable business? "Calendy"? Never heard of it before now. The only exploit in the entire scenario is that Calendy lets people attach arbitrary web links to the site. The scammer created a fake company on Calendy, put up a fake appointment entry of some kind, with a link to a malicious web site entirely controlled by the scammer. The idiot user clicks on all this. Then it asks to download malware. The idiot user clicks OK. Then MacOS warns them that they are downloading malware. The idiot use

Re:

[NotEmmanuelGoldstein]

Brand name verifiable ...

One can google brand/product names ('Calendy") and file-names (malware) for more details: The reputation of the product and known-problems (IE. A virus).

... an Apple problem?

I was talking about non-Apple software. When something is labelled as a virus, the user should be asking for a second opinion.

Idiot user ...

The problem isn't the lack of diligence, it's the attitude that the user is smarter than the computer. The absence of due diligence proves that assumption is incorrect. (IE. An idiot user.)

Re:

[NoMoreACs]

Usually MS swipes Apple ideas, but this time Apple swiped the idea of MS-Office macros, along with similar consequences.

This wasn't Apple. Learn to Read.

Third Party Sketchy App Does Sketchy, Socially-Engineered Thing.

News at Eleven.

Re:

[alex211211]

Why wasn't this seen as a cause for concern? While the request to download conference software is quite common, it's typically associated with reputable companies using well-known software. However, in this case [jollibeemenuprices.com], it seems like a random individual is asking users to run their own software alongside potentially sensitive personal information. This raises significant security questions. As long as the internet remains simplified to merely "click and go", security will continue to be compromised.

Re:

[alex211211]

I'm satisfied with the dude's performance, there's nothing to worry about as well. more can be find in the details [bungeefitnessnearme.com]