🐈
» Forums » Freelancers » Re: Malware Targeting Web3 Developers
Page options
93234c3e
Community Member

Malware Targeting Web3 Developers

Hello, fellow Web3 developers 
I'm writing this post to bring your attention to a new scam that has been targeting our developer community.
Here's how the scam typically unfolds: You receive an invite for a job, from someone claiming to have a web3 project of some sort, a developer that left, and an urgency to have someone finish the project (for good compensation).  
At first glance, it may seem like a legitimate opportunity. However, be cautious, as this invitation might be a cleverly disguised trap.
These scammers employ a nasty technique that targets us Web3 developers. They provide you with a link or file to a  repository or a place to download their files, which is a legitimately-looking React project. As part of the usual React project installation process, you would normally run 'npm start' after installing the dependencies.


Here's where they try to scam you The package.json file, which houses the project's configuration, has been tampered with. The scammers modify the script , embedding a malicious node command that executes a 'test.js' or 'config.js' file or another plausible-looking file that you would run as part of starting the development server. By doing so, they open a backdoor to your computer.

After reporting north of 15 of these scam clients, all using identical malware files, Upwork technical support told me they don't agree that adding a backdoor and asking developers to run it, constitutes an offense worth taking action over. The same scammers have been on the platform for weeks now, posting 7-8 different jobs and farming private keys without any action taken against them.

To protect yourself and your fellow developers from falling victim to this scam, please spread the word and exercise great caution. Stay safe!

32 REPLIES 32
e575ab0e
Community Member

Thanks, Jarmo

spectralua
Community Member

Also report at Github. It is rules violation there.

Yes, I have, but they also put it on bitbucket, or just send it along as a .zip file

amit-benzatine
Community Member

We also faced the same issue, they sent a zip file to download and then told us to run it on our computer.

When we sent the result of it they did not respond and they are still posting the same job again and again.

Upwork should take action against them they are stilling our data.

Hey Amit, Same thing happened to me few days ago i downloaded their zip file but it was empty and did not found anything, after that i told them and they said it is corrupted file and will get back to you after fixing this file. Did you find any solution or anything happened to you PC or Mobile?

 

No, we are not sure, developer said that the file they shared, deleted something from their computer but not sure what exactly happened!

Yes, the issue is they just don't do anything. 
I showed the code that they make you run, it's base64-obfuscated code. I even decoded it for the Upwork technical team to show that it's designed to open up a back-door. 
Even with very little malware knowledge, you can see that this kind of coding is bad news - and yet no action is taking against the ones posting it. 

 

**Edited for Community Guidelines**

yofazza
Community Member
93234c3e
Community Member

Yes, it's a reactJS app, that has an extra command in the package.json file, which executes ```"node <malwarefile> | react-scripts start".```

It actually is a working application, so upon inspection, it does not look like anything weird. Except, if you care to look, you see it executes a whole lot of trouble along with the app.


c109288b
Community Member

Thanks.

ed0c24c7
Community Member

Hey, I have run one such application, and my machine started acting wierd afterwards, so I reset it. I just want to make sure what  kind of attack i had fallen prey to? what kind of a backdoor are we talking about? and should I be worried about my passwords or financial details or any other thing?

yofazza
Community Member

I'll forget about it if I've done a reset(?). So many possibilities. Even on legitimate softwares it's possible that some glitches will appear after it reach some circumstances, and I don't want to think about it unless it's really important for my life or my work. I'll just reset.

 

Of course there are dangers of passwords being logged etc. if you haven't cleaned (or reset) it. We've seen some "unexplained" "money hacked" and also "unexplained" "logged on from another device" notice, which probably related to them having clicked one of those executables before.

ae5969c3
Community Member

I faced the same case yesterday, received an invitation but the client requested to run the project locally. 
I was confused about this line in the package.json "start": "node config.js | react-app-rewired start". 
I went straight on the internet did some research, and found that most people are claiming facing scammers in the same way.
I didn't run any of the scripts.
Any insights from Upwork about this issue?

vitally
Community Member

One of the repos: **Edited for Community Guidelines**- watchout !

vitally
Community Member

Here is another job with same outcome: **Edited for Community Guidelines**in their repo spotted that file that is reported above. Would be good to have some clarify for those who accidentally did execute the script how to remove it or clean it to make sure no backdoor left open!

vitally
Community Member

Found few posts on Reddit, someone already developed a tool to help prevent or at least scan and fix these issues if you were exposed: https://github.com/mathiscode/codebase-scanner

 

Original post is here: https://www.reddit.com/r/Upwork/comments/14nat71/scam_warning_blockchain_developer_job_postings/

4a868ca3
Community Member

I got scammed yesterday and lost thousands of dollars saved in years..

vitally
Community Member

How did it happen?

4a868ca3
Community Member

They created a very very credible job offer, requiring web3 knowledge and other 3D technologies experience, I submitted my proposal and started talking with this guy.

he sent me some documentation/ web site/ project details/ google docs and we agreed to start to work (because everything seemed very professional).

He sent me an application to download in google docs which should have been the game/metaverse beta of the project.

once I unzipped it and tried to run it nothing happened (apparently), I think in some way the application checked the browser files in order to get some way my private key/recovery phrase but I am not sure about that.

this morning I checked my defi wallet as usual but there were no more cryptos and NFTs, he sold and moved everything.

He deleted the Upwork account.

the payment method is verified by Upwork.

I am not sure but if Upwork would verify its users and their identities  this would not happen, or at least if happens we could track these criminals.

it is my fault, but this is frustrating for me, considering that it is the first "opportunity" I had as freelancer.

thank you for asking by the way...

 

The suggestions I would give to web3 developers on Upwork, video call first, so you can see the person face and compare it with the account image. If they send you an application to test or "just to see how the project is" ask them to show you in a call by their PC in order to avoid risks.

very bad day for me today..

hope this can help someone to avoid the same situation...

yofazza
Community Member

Clients don't usually have photos. They are not required to use photos like freelancers.

 

Education (warnings, detailed warnings, and "shove" it to the users), is what humans should do instead of allowing these to happen again and again and blaming it to 'not adhering the ToS'. The 'priority list' in Upwork's desk makes them "inhuman". Your "mistake" that makes you lose thousands is because you never heard of this scam before. Even if you always adhere to the ToS, this could still happen.

 

--

 

I read news about a method to empty a wallet by simply knowing its address and putting a trojan file on the victim's computer.  Yes it's probably known that some passphrase for some wallet is stored in a certain location and it will get it. This is in line with scams l read here where 'the client' simply ask for the freelancer's address (and told them to run something). Have you been asked for your address as well?

4a868ca3
Community Member

Yes...

sayian
Community Member

Not just web developers but almost everybody, they even hack the account itself. I hope upwork can resolve this issue, atleast have a department where they can address it quickly. 

 

They now send the file through WETRANSFER, what a big mistake I did to click the file that like " Batch file or something. Is reformatting the PC will help? 

4a868ca3
Community Member

Honestly this is UNACCEPTABLE, I made a mistake downloading an application, BUT I was expecting that Upwork verifies the identity of their users. 
they can scam you and just delete the profile.

does Upwork team believe that everyone is going to read this before starting the job? 

Do they think that people are going to work on a platform full of scammers? If scammers are here it is because they know they can do whatever they want.

I just want my money back. 

 

vitally
Community Member

I'm very disapointed in Upwork after this incident. In my case I was lucky enough to work in a sandbox environment for a dummy task the client send my way to scam me. After few hours they realized that they won't be able to scam me as the task got completed and that I've worked in isolated environdment. Then client pulled out the contract filing for the dispute and reducing weekly hours from 40 to 0. 

 

At first upwork reviewed the dispute and honored the hourly protection of ~5hours to be still paid to me for the time I've spent. Yet just few days later they basically decided to REVERSE that decision and cover nothing, saying We won't cover anything and that's my own fault, even though my timelog was accurate with all screenshots and mouse activity and MEMO added.. what a shame! I've attached their first "careful review" that only dicarded 2 screenshot at first and a message saying I'm getting nothing. Even though I've asked multiple times to explain why its not covered no clear answer was providing except they believe its my own fault and I should choose jobs more carefully not accepting "whats too good to be true" ... really disapointed

 

**Edited for Community Guidelines**

yofazza
Community Member

It is strange. Perhaps 'the client' was using their own card, so they needed to change the hourly limit to 0 and tried a dispute? Or the card is actually stolen in the first place but they are pissed and want to "play you" (not much effort needed, only a few clicks). 

 

In any case, the card charge failed, either because it's a stolen card or the client themselves has initiated a chargeback. And recently, Upwork often denied the protection even in cases where it's not an obvious fraud where they will use that rubber term of "involved in a fraud" to deny protection. Why rubber? Because we may say all chargeback cases are fraud, isn't it? 

4a868ca3
Community Member

I can see the scammer Account that scammed me thousands of dollars in cryptocurrencies and NFTs, I can see he still access sometimes, but I can not report him (there is no option) and I can not try contact him.

**Edited for Community Guidelines**

 

**Edited for Community Guidelines**

What I can do? Shame on Upwork.

 

Hi Baruch,

 

I'm sorry to hear about your experience. Could you please share more details about how the client scammed you? Please do not include any identifying information as this is against our Community Guidelines. 

 

We want to make sure we're approaching this issue the right way. We look forward to your response!


~ AJ
Upwork

Hello Annie,

 

Thank you for the interest.
I just applied to a job as a blockchain/web3 developer, after messaging with the client, he sent me a google form to compile, not asking for sensitive data (he asked for my DeFi wallet public address, which is fine to share and credible for starting work on a DeFi project).

Then he sent me a website which is an hub to all the channels of

this project (twitter, discord, medium, official website, instagram...), to make everything credible.

then he sent me through 'WeTransfer' an application to see the current state of development, and somehow, that application was the entry point to scam me, maybe a Trojan, or backdoors I don't know.

he accessed to my DeFi wallet (I saved the pass phrase on paper and never shared it) and sold all my NFTs and sent everything through a bridge to another blockchain and then of course in his own wallet.

now, he probably used fake data to verify his payment method.

the verifications done by upwork when client registers themselves are not enough.

if I could know his real identity I could report him to the police of his own country.

I can not even report him in upwork app, like if he's account is deleted, but in the same time seems the account is still there.

the account is the one of the pictures shown before, but upwork removed them from the message.

so not only I have lost time and spent a bit of money to apply to a fake job, I also lost more money.

that's it.

 

 

Hi Baruch,

 

Thank you for sharing these with us. I checked on this and it looks like no contract has been started with this client.

 

In general, we highly advise freelancers to not start working on a project unless a contract is started. I can also confirm that an action has already been taken on the client's account and they wouldn't be allowed to use Upwork moving forward.

 

We highly suggest reviewing our ToS, reading these tips on how to avoid questionable jobs, and this post from our Community member, Wes, about top red flags for scams for you to keep yourself safe in the marketplace. Should you also encounter any suspicious user activity again in the future, please send us a flag so the dedicated team can review it and take action as soon as possible.


~ AJ
Upwork

I got similar invitations for DevOps Engineer a metaverse project. Asking to provide the primary wallet id sends a google form to fill in. And the scam would have been the same. But I got only 10 $ in the wallet. So was never proceeded to next stage.

d1b93c78
Community Member

Am new to the site and I just got scammed  , lost everything in my wallet, Nft, tokens, everything 

Latest Articles
Top Upvoted Members