An Unusually Well-Disguised Malware Scam on Upwork: How I Almost Got Infected With a Keylogger

4,480 reads

The following is a copy of a post I made on Reddit.

Usually, I try to keep my main Reddit account separate from anything with my real name on it. But the truth is, this is something I wanted other people to know about — especially other freelancers who use Upwork to find clients.

So I’m willing to take the risk of exposing my real name. If you copy-paste some of the text into Google, you can probably find my posts. I can always make another Reddit account if this becomes an issue.

This is a post about a scam. This wasn’t the typical scam where you work and they don’t pay you. I’ve run into that one several times before. This was something different.

This was an attempt to infect people with a keylogger, for the purpose of stealing passwords.

I’d heard before that these things happen on Upwork. In fact, I applied for a job in 2016 that ended up being a phishing attempt. I recognized it right away, but it was still surprising.

Now, I was scammed before on Elance a couple of years ago. I did about $3,000 worth of work, for which I was never paid. I’ve seen that same scam pop up recurrently, but it tends to follow the same pattern.

This one was different. I documented the experience with screenshots. I decided to share this with the community because it was relatively well disguised, and I’m sure I’m not the only one who applied for this so-called “gig.”

I’m a copywriter and content writer, and this was a writing gig. However, I’m sure that similar scams are probably targeting other professions as well.

Here’s what happened.

I’ve been using Upwork here and there to find new clients. I’m quite selective about which gigs I apply for, and I don’t bother with anything below a certain rate. $5 for 1,000 words? Hahahaha, no.

So anyway, this gig came up in my feed with an unusually good pay rate. $100–120 for an article around 1,000–1,200 words is actually pretty standard in general, but it’s rare to find anything that decent on Upwork.

By the time I applied, the gig had been up for all of 45 minutes and already had 20–50 proposals. However, due to the decent pay rate and promise of regular work, I figured I’d throw my hat in the ring anyway. I’m aware that clients get quite a few proposals in broken English from people who are wholly unqualified for the position, so I figured that some of those proposals were probably a no-go.

Here are some screenshots of the gig.

This is a pretty standard description for an Upwork writing gig.

As you can see, they got quite a few takers.

As you can see, they’re new to Upwork, and their payment method was unverified. This can sometimes be a red flag, so I made note of this. However, worst case scenario was that the gig wasn’t legit, so I gave it a try anyhow. It did not follow the recurring pattern of the scams I’ve encountered in the past.

I was chosen for an interview, and provided with a Skype ID to add to my contacts so that they could talk to me about the project. Cool.

I added “Judith” on Skype and reached out.

At this point, they sent me a .zip with their project guidelines.

There were two files. One was a PDF titled “Formatting for All Content.” That file worked fine. It detailed the formatting requirements, which were pretty straightforward.

The second file was titled “Payment Terms,” but was showing as a shortcut, not a file. Clicking it did nothing.

Naturally, I let them know that they’d accidentally sent me a shortcut to the document, not a copy of the actual document itself.

If you’re tech-savvy, you’re probably thinking, “Aww, HELL naw.” I, however, am not particularly technical, so I didn’t realize at first what was going on here. I honestly thought they’d accidentally put a shortcut to the document into the .zip folder.

Figuring that the shortcut file had been a mistake, I asked if they could resend the file.

It was still showing as a shortcut, not a file. Helpfully, I took screenshots to show them.

They responded as follows:

As you can see, I asked if they’d just send me the file directly. I’ve sent tons of PDFs, image files, and MS Word documents via Skype, so I knew it was possible to do so easily.

I realize it was dumb of me to try to disable Malwarebytes, but fortunately, the file still refused to open. However, to my knowledge, that doesn’t mean a keylogger wasn’t installed.

Now, this is where I started getting suspicious. There’s no way a PDF or Microsoft Word document with payment terms would be too large to send via Skype.

Previously, I’d assumed some kind of technological incompetence. This person was presumably an editor of some kind, not someone in a technological role. And it’s pretty surprising how tech illiterate some people can be. A brief examination of /r/talesfromtechsupport illustrates this phenomenon.

But at this point, I started to suspect that something was probably fishy here.

They offered to try sending the file yet again.

It still didn’t work.

After going into “Properties” and seeing that weird-ass file path, I was definitely suspecting some kind of malware infection attempt. I had heard that such things do happen on Upwork, but had never experienced it myself.

Again, if you’re tech-savvy, you’re shaking your head right now. Please pardon my ignorance at the time. I didn’t realize what that file path really meant until later.

It was at this point that I decided to use one of my usual scam detection strategies. I went to the user’s Skype profile and took a screenshot of their profile image. Then, I did a reverse image search.

The stolen profile picture the scammer was using.

The reverse image search results.

The reverse image search revealed multiple search results indicating that the photo belonged to Julia McCoy, a professional writer and the CEO of a copywriting agency called ExpressWriters.

After examining that particular agency’s Pricing page, it was clear that this gig couldn’t possibly be for that company. The prices wouldn’t make sense, based on what they’re charging their clients.

I sent one further message.

Naturally, they didn’t respond back.

My SO googled the file path, and realized it was a shady program. I was then informed by several Reddit commenters that they’d fallen victim to the same scam, and that it had installed a keylogger. Some of them had had money stolen from their Paypal accounts, or had had their Gmail account stolen.

Alarmed, I cleared my browser history immediately, which contained saved passwords. I was sure not to log into Gmail, Upwork, Paypal, or anything else important.

I reached out to a good friend of mine who works in IT. He advised me to go ahead and do a full factory reset on my laptop.

I did so, and changed all of my passwords from a different device.

As of now, I seem to have made it out intact. I got very lucky.

The reason I decided to share this was that up until partway through the Skype conversation, everything seemed like it could very well be legitimate.

Scams are getting less obvious, apparently. Always be careful with Upwork clients. Make sure you know who you’re working for, and don’t be afraid to ask them for a company name, a LinkedIn profile, or anything else to show you that they’re a legitimate person or agency.

I was able to take action quickly enough to prevent myself from being victimized. Others weren’t so lucky. It’s scary how clever scammers can be with their social engineering, and how many of them are lurking in places where you wouldn’t expect that kind of thing.

Tags