A new job-interview scam targeting macOS and Windows

A new sophisticated malware campaign is targeting job seekers, exploiting their desire to secure employment by requiring them to install malicious software disguised as interview software. This scam is particularly concerning as it specifically targets both macOS and Windows users, using social engineering tactics to bypass security measures.

How the scam works

The scam follows a carefully crafted sequence:

1. Job seekers receive an interview invitation from what appears to be a legitimate company
2. Right before the interview, they're informed that the it will be conducted through a specific application
3. When trying to download the app, they're redirected to a registration process
4. After registration, they receive a "synchronization code"
5. Upon downloading and running the installer, users are presented with a script
6. The script asks users to drag it to the terminal for execution

What makes this scam particularly dangerous is its psychological manipulation - creating a sense of urgency and legitimacy around a job opportunity, making victims more likely to bypass their usual security precautions.

Technical analysis of the malware

Let's examine how this malware operates, using a real example I recently analyzed (example domain: talkon.app/connect - do not visit this link as it's malicious).

The malicious script uses several deceptive techniques:

# Example of the malicious script structure (DO NOT EXECUTE):
encoded_string1="[base64 data]"
encoded_string2="[base64 data]"
encoded_string3="[base64 data]"

combined=$(echo "$encoded_string1$encoded_string2$encoded_string3" | base64 -d)
eval "$combined"

When decoded, the script reveals several concerning behaviors:

1. Hidden code execution: Uses base64 encoding to obscure its true purpose
2. Stealth operations: Works with hidden files (prefixed with '.')
3. External code: Executes code from an external volume named "TalkOn_Setup"
4. System manipulation: Copies files to system directories and modifies permissions
5. Error suppression: Minimizes error messages to avoid detection

When trying to access from an iOS device, the malware will show that the OS is not supported.

Red flags to watch for

When job hunting, be wary of these warning signs:

1. Required software installation: Legitimate companies typically use well-known platforms like Zoom, Teams, or Google Meet
2. Unusual download process: Multiple steps, registration requirements, and synchronization codes are suspicious
3. Terminal commands: No legitimate interview software should require terminal access
4. Pressure tactics: Urgency to install before the interview is a manipulation tactic
5. Limited platform availability: Claiming the software only works on specific platforms

How to protect yourself

Follow these guidelines to stay safe:

1. Research the Company: Verify the company and recruiter through official channels
2. Use Known Platforms: Stick to widely recognized video conferencing tools
3. Never Run Scripts: Legitimate software doesn't require terminal script execution
4. Trust Your Instincts: If something feels off about the interview process, it probably is
5. Report Incidents: Report suspicious job listings to the platform where you found them

What to do if you've been affected

If you've already interacted with this type of malware:

<del>BURN IT WITH FIRE!</del>

1. Disconnect from the internet immediately
2. Boot your computer in safe mode
3. Run a full system scan with reputable antivirus software
4. Monitor your accounts for suspicious activity
5. Report the incident to:
   1. Your local cybercrime unit
   2. The job platform where you found the listing
   3. The real company being impersonated (if applicable)

Stay alert

The best defense against such scams is awareness and vigilance. Keep these points in mind:

• No legitimate company conducts hiring through WhatsApp or Telegram
• Legitimate companies don't require custom software for interviews
• Be extremely cautious of any software requiring terminal access
• When in doubt, request a phone call or use a mainstream platform
• Keep your operating system and security software updated
• Share this information with other job seekers to help protect them

Control your network activity

For additional system protection, it's recommended to use firewall software that controls which programs can connect to the internet. Here are some examples:

• For macOS:
  • Free: LuLu
  • Paid: Little Snitch
• For Windows:
  • Free: GlassWire
  • Paid: ZoneAlarm

Using such tools will help you monitor network activity and protect your system from unauthorized connections.

Remember: No job opportunity is worth compromising your system security. If an interview process seems unusually complicated or requires suspicious software installation, it's better to walk away than risk your digital security.