Cyber criminals have been using a deceptive technique known as ClickFix to target users of the Google Meet video communication service, infecting them with information-stealing malware. This tactic bypasses web browser security features and tricks users into downloading and running malware on their machines without their knowledge.
The ClickFix tactic has become increasingly popular among threat actors, posing a significant threat to both consumers and enterprises. Users typically land on compromised websites through phishing emails or search engine links, where they encounter fake browser alerts prompting them to click a “Fix It” button to resolve an issue. However, clicking the button unknowingly executes malicious code that installs malware on their systems.
Since February 2024, cybersecurity companies like Sekoia have identified multiple malware delivery campaigns using the ClickFix tactic. These campaigns target users of Google Meet, GitHub, companies in the transportation and logistics sector, and individuals seeking video streaming services through Google, among others. The deceptive alerts and verification requests are tailored to lure unsuspecting users into downloading malware.
Sekoia analysts have linked the ClickFix cluster impersonating Google Meet to cybercrime groups associated with cryptocurrency scams. These groups, known as “Marko Polo” and “CryptoLove,” operate within the Russian-speaking cybercrime ecosystem. The malware distributed by these groups includes StealC and Rhadamanthys for Windows users, and the AMOS stealer for macOS users. Upon infection, messages are sent to Telegram bots to track compromised devices.
Both cybercrime groups utilize the same ClickFix template impersonating Google Meet, indicating potential collaboration and shared resources. Analysis of the malware distribution infrastructure suggests that attackers may also target users interested in games, PDF readers, Web3 browsers, messaging apps, and even the Zoom video conferencing app.
Overall, the ClickFix tactic represents a sophisticated method employed by cyber criminals to deceive users and spread malware effectively. As threat actors continue to evolve their tactics, it is crucial for individuals and organizations to stay vigilant and implement robust cybersecurity measures to protect against such malicious attacks.