Fake Google Meet Pages Steal Sensitive User Data
Published On: October 21, 2024
A new phishing campaign dubbed ClickFix is using fake Google Meet pages to distribute infostealers, targeting both Windows and macOS users. This campaign manipulates victims by displaying fraudulent error messages, such as issues with microphones or headsets during fake Google Meet sessions. Users are tricked into following instructions to fix these non-existent issues, leading them to download and execute malware on their devices.
The attackers, part of organized cybercriminal groups such as Slavic Nation Empire and Scamquerteo, lure victims through phishing emails containing links to counterfeit Google Meet pages. These URLs closely resemble legitimate ones, with slight changes like "meet.google.us-join[.]com" or "meet.google.web-join[.]com" to deceive users. Once on these fake pages, a pop-up prompts users to run malicious PowerShell commands or download a file that infects their system.
On Windows, the malware typically installs StealC or Rhadamanthys info-stealers, while macOS users are hit with Atomic Stealer. These malware programs can steal sensitive data, such as login credentials and personal information, and even allow remote access to the infected systems. The malware can also bypass typical security measures because users are manually running the malicious code.
This attack method has expanded beyond Google Meet to target platforms like Zoom, PDF readers, and messaging apps. The ClickFix campaign is particularly concerning because it preys on the trust users place in common online tools, making detection and prevention more challenging.
Protecting yourself from ClickFix
To protect yourself from threats like the ClickFix campaign:
- Verify links: Always double-check URLs in meeting invites. Look for minor variations that may signal a fake link
- Avoid running unfamiliar code: If prompted to fix a technical issue by copying code, stop and verify the problem through official support channels
- Train your team: Regularly inform employees about phishing tactics to prevent accidental downloads of malware