Today, at around 15pm CEST, someone reached me on Linkedin asking for development help for their project:
I asked for details about the project since the initial message seemed legitimate.
She provided details, which also appeared credible; they needed help with frontend integration for a Web3 NFT game project.
I then invited her to join a call to discuss the project further and see how I could assist.
However, they refused, explaining that their HR team doesn't have time for calls but wanted to test my technical knowledge before moving forward with the interview.
She then sent me a link to a Bitbucket project, which was a simple MERN stack web app, asking me to run it on my local machine and provide an analysis of the code.
She explained that this would help them assess my technical skills with a codebase.
This was the first red flag to me because it’s weird you conduct interviews like this, so I asked here to provide online resources to learn more about her and the project.
She mentioned that she is an investor in the project and that the company is a partner.
The company she shared appears legitimate: https://www.linkedin.com/company/streym-ltd
But she does not appear in the people working on it from the Linkedin page.
So the second red flag arised.
To be sure and reveal the scam, I decided to give a look at the code from my browser by navigating to the bitbucket project
https://bitbucket.org/project_blockchain/project_a_recently
This is the first rule in Cyber Security: never open on run code sent from strangers on your local devices!!