Hackers Avoid Google Chrome Security Features In New Attack, Researchers Warn

Update, Oct. 18, 2024: This story, originally published Oct. 17, includes new comments and mitigations from security experts.

Hackers are becoming more crafty and sophisticated to avoid getting caught by the security protections Google puts in place across its products and services. One example is the latest social engineering tactic reported by the Sekoia threat detection and research team: bypassing web browser protections such as Google Safe Browsing by tricking victims into opening fake Google Meet conference pages that install infostealer malware. The scam, named as ClickFix, is currently targeting cryptocurrency assets and decentralized finance users. However, the Sekoia threat intelligence analysts have warned that “similar social engineering techniques could be employed in other malware distribution campaigns.” Here’s what we know so far.

The Phantom Meet

In a newly published report, The Phantom Meet, detailing the technology and tactics used by hackers using fake Google Meet video conference pages to distribute infostealer malware, a cluster of attacks known as ClickFix, analysts have taken a chronological overview of the campaign to warn Mac and Windows users of the ongoing threat.

Rather than deploy the malware distribution execution by way of visiting a web page from your browser, the ClickFix campaign, the researchers said, relies upon getting the victim to download and run malware directly. No browser download, no manual file execution, just good old-fashioned trickery to bypass those pesky browser security protections.

The ClickFix campaign, not to be confused with legitimate companies and applications of the same name, which is unfortunately confusing, has been running since September 2024. It has already, the analysts said, been adopted to “widely distribute malware.” It operates with a decoy that, it is warned, “could be particularly devastating in campaigns targeting organizations that use Google Workspace, especially Google Meet.” Whereas earlier ClickFox campaigns this year primarily used HTML files disguised as Microsoft Word documents in emails, the latest is deploying fake Google Meet video conference pages to distribute infostealers, and targeting both Windows and macOS systems.

Drive-By Downloads Power ClickFix Stealer Campaign

A drive-by download attack relies upon being able to tamper with an application, without it being visually obvious to the user, so as to download malware. The use of ClickFix in multiple malware distribution campaigns across recent weeks is, the Sekoia report said, “in line with the growing, ongoing trend of distributing malware through the drive-by download technique.” This is, above all else, employed so as to evade security scanning protections and browser security features, the researchers suggested. The Sekoia analysts have associated this ClickFix cluster impersonating Google Meet with two cybercrime groups: Slavic Nation Empire and Scamquerteo. Both are known to be sub-groups of cybercriminals in the world of cryptocurrency scams.

Using phrases such as “press the key combination” or “CTRL+V” pop-up error messages, yes, such tactics are still used, and apparently, they are still thriving. The attackers were often found to be suggesting issues concerning the microphone. This type of scam can be fallen for because the errors that pop up are on faked Google Meet pages with plausible domain names leveraging a meet.google structure. Clicking on the “Try Fix” button would then result in the malware download being initiated.

"Imagine joining a Google Meet, already a minute or two late which is standard for most of us in a rush because your previous meeting ran over,” Adam Pilton, a senior cybersecurity consultant at CyberSmart, said. “You then see a problem with a button that says ‘fix it’, on the surface this button appears to be Google who you trust, so you click to fix it and malware is deployed on your computer.” This is peak social engineering and you should never underestimate your chances of getting fooled.

"Many people are familiar with phishing emails, but we often let our guard down when it comes to online meetings,” Javvad Malik, the lead security awareness advocate at KnowBe4, said. “This particular campaign goes a bit further, not just from a technical perspective, but from a mind-games perspective, by exploiting the trust people have in brands and their pop-up assistance. “

Mitigating The ClickFix Infostealer Threat

I have reached out to Google for advice to users in mitigating the risk of getting caught out by the ClickFix campaign, but in the meantime McAfee Labs offered the following mitigations when an earlier ClickFix campaign was doing the rounds:

“For anybody who's reading this article and becomes aware of this information, the best thing you can do is share it with your colleagues,” Pilton advised, “being informed of this attack and knowing that it exists will mean that we question this scenario should it arise.” It is this questioning that can provide, even if only for a few seconds, the breathing space to break the knee-jerk reaction that is required for such scam campaigns to succeed.

“We will likely continue to see criminals look for more creative ways to exploit people outside of the perimeter and on platforms people trust to avoid detection by automated tools, Malik concluded, “which is why it's important to build in good frameworks where people can recognize and report any suspicious activity."

There is no doubting that this attack is clever, Pilton said, “but it's easy to defend against if we know it exists.”