Google Meet Fake Pages Used In ClickFix Hacking Campaign
As per recent reports, threat actors have now started to leverage Google Meet fake pages as part of the ClickFix hacking campaign. This cybercrime initiative is designed to deliver infostealers to targeted Windows and macOS users.
In this article, we’ll dive into the details of the cyberattack campaign and discuss mitigation measures that can help ensure protection. Let’s begin!
The Google Meet Fake Pages Campaign Uncovered
Before we dive into the details of the attack campaign, it’s mentioned that the ClickFix campaign also has other variations named ClearFake and OneDrive Pastejacking. During these campaigns threat actors deploy various mechanisms that trick users into visiting bogus pages. Providing insights about the attack, Sekoia, a French cybersecurity firm, has stated that:
“This tactic involves displaying fake error messages in web browsers to deceive users into copying and executing a given malicious PowerShell code, finally infecting their systems.”
Some of the Google Meet fake pages that have been used in attack campaigns have the following URLs:
- meet.google.us-join[.]com
- meet.googie.com-join[.]us
- meet.google.com-join[.]us
- meet.google.web-join[.]com
- meet.google.webjoining[.]com
- meet.google.cdm-join[.]us
- meet.google.us07host[.]com
Apart from using multiple Google Meet fake pages, threat actors also use different payloads on Windows and macOS devices. On Windows, StealC and Rhadamanthys Steelers are used to carry out the attacks. However, for targeted victims using macOS devices, threat actors use disk image file names “Launcher_v1.94.dmg” for deploying the atomic infostealer.
ClickFix’s Attack Tactics
The ClickFix campaign centered on the use of Google Meet fake pages is the latest wave of innovation in social engineering attacks. What makes the attacks not-worthy is the fact that the campaign requires users to manually run the malicious PowerShell code as opposed to it being automatically executed.
Such an attack tactic allows hackers to evade detection and bypass security tools since the code being executed is not flagged as a remote command. Cybersecurity experts have identified the Google Meet fake pages attackers as two traffers groups of Slavic Nation Empire, also known as Slavice Nation Land, and Scamquerteo.
It’s worth noting that both these are subteams of Markopolo and Cryptoove, respectively. Shedding light on the attack tactics, experts have stated that hackers:
“Use the same ClickFix template that impersonates Google Meet. This discovery suggests that these teams share materials, also known as ‘landing project,’ as well as infrastructure.”
The use of open-source infostealers has become a significant shift in the current cybercrime landscape. It’s critical for security experts to examine such attacks in detail and develop uncompromisable security protocols that can help ensure protection.
Conclusion
The ClickFix campaign’s use of fake Google Meet pages emphasizes the growing sophistication of social engineering attacks. As cybercriminals continue to innovate, it’s crucial for both users and organizations to stay vigilant, strengthen defenses, and adopt proactive security measures to mitigate evolving threats.
The sources for this piece include articles in The Hacker News and HelpNetSecurity.