Users of the Google Meet video communication service have been targeted by cyber crooks who use the ClickFix tactic to infect them with information-stealing malware.
Fake Google Meet video conferencing page with malicious ClickFix pop-up (Source: Sekoia)
“The ClickFix tactic tricks users into downloading and running malware on their machines without involving a web browser for download or requiring manual file execution,” Sekoia researchers explained.
“It makes it possible to bypass web browser security features, such as Google Safe Browsing, and to appear less suspicious to unsuspecting corporate and individual users.”
The ClickFix tactic
The ClickFix tactic is gaining popularity among many other threat actors and poses a serious danger to both consumers and businesses. Users usually land on the compromised websites by following links from phishing emails or from search engines, and if they are not aware of this particular trick, they are likely to get infected.
This social engineering tactic has been named by Proofpoint researchers, who flagged it as being used via compromised websites that display fake browser alerts.
The warnings usually warn users that the web page or document cannot be displayed properly by the browser before they click the “Fix it” button and follow the outlined steps, which result in the user unknowingly copying and executing malicious code that installs malware.
Since February 2024, Sekoia and other cybersecurity companies have flagged a series of malware delivery campaigns that use the same social engineering tactics. Sometimes the call to action is “Solve the problem”, other times it’s “Prove you’re human” (on fake CAPTCHA pages).
The fake alerts and confirmation requests have been “parked” on compromised websites and Facebook pages, customized to target Google Meet users, GitHub users, companies in the transport and logistics sector, users looking for video streaming services via Google and others .
Lures may differ
Sekoia analysts managed to associate the ClickFix cluster, which imitates Google Meet, with two cybercrime groups that are the entertainment of the cryptocurrency fraud teams “Marko Polo” and “CryptoLove”, which are part of the Russian-speaking cybercrime ecosystem.
The script, which users unwittingly run, delivers the StealC and Rhadamanthys malware to Windows users, and the AMOS thief to those using macOS. When users are plagued with malware, a message is sent to Telegram bots so the crooks can trace compromises.
Sekoia researchers say both groups use the same ClickFix template that mimics Google Meet, indicating they share materials and infrastructure (which is likely managed by a third party).
An analysis of the malware distribution infrastructure shows that the attackers may also be targeting users looking for games, PDF readers, Web3 web browsers and messaging apps, as well as users of the Zoom video conferencing app.