Researchers uncover new ClickFix attacks that can bypass Google Chrome security
Hackers are becoming more crafty and sophisticated to avoid getting caught by the security protections Google puts in place across its products and services. One example is the latest social engineering tactic reported by the Sekoia threat detection and research team: bypassing web browser protections such as Google Safe Browsing by tricking victims into opening fake Google Meet conference pages that install infostealer malware. The scam, named as ClickFix, is currently targeting cryptocurrency assets and decentralized finance users. However, the Sekoia threat intelligence analysts have warned that “similar social engineering techniques could be employed in other malware distribution campaigns.” Here’s what we know so far.
The Phantom Meet
In a newly published report, The Phantom Meet, detailing the technology and tactics used by hackers using fake Google Meet video conference pages to distribute infostealer malware, a cluster of attacks known as ClickFix, analysts have taken a chronological overview of the campaign to warn Mac and Windows users of the ongoing threat.
Rather than deploy the malware distribution execution by way of visiting a web page from your browser, the ClickFix campaign, the researchers said, relies upon getting the victim to download and run malware directly. No browser download, no manual file execution, just good old-fashioned trickery to bypass those pesky browser security protections.
The ClickFix campaign, not to be confused with legitimate companies and applications of the same name, which is unfortunately confusing, has been running since September 2024. It has already, the analysts said, been adopted to “widely distribute malware.” It operates with a decoy that, it is warned, “could be particularly devastating in campaigns targeting organizations that use Google Workspace, especially Google Meet.” Whereas earlier ClickFox campaigns this year primarily used HTML files disguised as Microsoft Word documents in emails, the latest is deploying fake Google Meet video conference pages to distribute infostealers, and targeting both Windows and macOS systems.
Drive-By Downloads Power ClickFix Stealer Campaign
A drive-by download attack relies upon being able to tamper with an application, without it being visually obvious to the user, so as to download malware. The use of ClickFix in multiple malware distribution campaigns across recent weeks is, the Sekoia report said, “in line with the growing, ongoing trend of distributing malware through the drive-by download technique.” This is, above all else, employed so as to evade security scanning protections and browser security features, the researchers suggested. The Sekoia analysts have associated this ClickFix cluster impersonating Google Meet with two cybercrime groups: Slavic Nation Empire and Scamquerteo. Both are known to be sub-groups of cybercriminals in the world of cryptocurrency scams.
Using phrases such as “press the key combination” or “CTRL+V” pop-up error messages, yes, such tactics are still used, and apparently, they are still thriving. The attackers were often found to be suggesting issues concerning the microphone. This type of scam can be fallen for because the errors that pop up are on faked Google Meet pages with plausible domain names leveraging a meet.google structure. Clicking on the “Try Fix” button would then result in the malware download being initiated.
Mitigating The ClickFix Infostealer Threat
I have reached out to Google for advice to users in mitigating the risk of getting caught out by the ClickFix campaign, but in the meantime McAfee Labs offered the following mitigations when an earlier ClickFix campaign was doing the rounds:
McAfee Labs mitigations for ClickFix attacks
