www.esecurityplanet.com Open in urlscan Pro
2a04:4e42:200::347  Public Scan

URL: https://www.esecurityplanet.com/trends/google-meet-invites-lure-users-into-malware-scam/
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_47842352 Search All
Submission: On October 24 via api from GB — Scanned from GB

Form analysis 5 forms found in the DOM

GET https://www.esecurityplanet.com/

<form role="search" method="get" action="https://www.esecurityplanet.com/" class="wp-block-search__button-inside wp-block-search__text-button is-style-esplanet-nav-search wp-block-search"><label class="wp-block-search__label screen-reader-text"
    for="wp-block-search__input-1">Search</label>
  <div class="wp-block-search__inside-wrapper " style="width: 100%"><input class="wp-block-search__input has-small-font-size" id="wp-block-search__input-1" placeholder="Search..." value="" type="search" name="s" required=""><button
      aria-label="Search" class="wp-block-search__button has-background has-esplanet-purple-background-color has-small-font-size wp-element-button" type="submit">Search</button></div>
</form>

GET https://www.esecurityplanet.com/

<form role="search" method="get" action="https://www.esecurityplanet.com/" class="wp-block-search__button-inside wp-block-search__text-button is-style-esplanet-nav-search wp-block-search"><label class="wp-block-search__label screen-reader-text"
    for="wp-block-search__input-3">Search</label>
  <div class="wp-block-search__inside-wrapper " style="width: 100%"><input class="wp-block-search__input has-small-font-size" id="wp-block-search__input-3" placeholder="Search..." value="" type="search" name="s" required=""><button
      aria-label="Search" class="wp-block-search__button has-background has-esplanet-purple-background-color has-small-font-size wp-element-button" type="submit">Search</button></div>
</form>

<form data-position="banner" data-endpoint="https://newsletters.esecurityplanet.com" data-newsletters="cybersecurity-insider" class="wp-block-newsletters-cta"><input
    style="border-radius:8px;border-width:1px; padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:0.75rem;padding-right:0.75rem; min-height:50px;"
    class="wp-block-newsletters-email-input wp-container-content-1" type="email" placeholder="Enter an email" data-field="email">
  <span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="email">This field is required</span>
  <label class="wp-block-newsletters-opt-in ta-newsletters__opt-in" style="margin-top:var(--wp--preset--spacing--40);--ta-newsletters__opt-in__display:flex;--ta-newsletters__opt-in__background:var(--wp--preset--color--primary)"><input type="checkbox"
      class="ta-newsletters__opt-in__input" data-field="opt-in"><span class="ta-newsletters__opt-in__label">By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You may unsubscribe from
      these newsletters at any time.</span></label>
  <span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="opt-in">This field is required</span>
  <div class="ta-newsletter-button-wrap wp-block-buttons wp-block-button"><button class="wp-block-newsletters-button layout-banner__btn wp-block-button__link wp-element-button" style="margin-top:var(--wp--preset--spacing--40)">Subscribe</button>
  </div>
</form>

<form data-position="sidebar" data-endpoint="https://newsletters.esecurityplanet.com" data-newsletters="cybersecurity-insider" class="wp-block-newsletters-cta"><input
    style="border-radius:8px;border-width:1px; padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:0.75rem;padding-right:0.75rem; min-height:50px;"
    class="wp-block-newsletters-email-input wp-container-content-2" type="email" placeholder="Enter an email" data-field="email">
  <span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="email">This field is required</span>
  <label class="wp-block-newsletters-opt-in ta-newsletters__opt-in" style="margin-top:var(--wp--preset--spacing--40);--ta-newsletters__opt-in__display:flex;--ta-newsletters__opt-in__background:var(--wp--preset--color--primary)"><input type="checkbox"
      class="ta-newsletters__opt-in__input" data-field="opt-in"><span class="ta-newsletters__opt-in__label">By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy.</span></label>
  <span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="opt-in">This field is required</span>
  <div class="ta-newsletter-button-wrap wp-block-buttons wp-block-button"><button class="wp-block-newsletters-button wp-block-button__link wp-element-button" style="margin-top:var(--wp--preset--spacing--40)">Sign up</button></div>
</form>

<form data-position="modal" data-endpoint="https://newsletters.esecurityplanet.com" data-newsletters="cybersecurity-insider" class="wp-block-newsletters-cta"><input
    style="border-radius:8px;border-width:1px; padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:0.75rem;padding-right:0.75rem; min-height:50px;"
    class="wp-block-newsletters-email-input wp-container-content-4" type="email" placeholder="Enter an email" data-field="email">
  <span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="email">This field is required</span>
  <label class="wp-block-newsletters-opt-in ta-newsletters__opt-in" style="margin-top:var(--wp--preset--spacing--40);--ta-newsletters__opt-in__display:flex;--ta-newsletters__opt-in__background:var(--wp--preset--color--primary)"><input type="checkbox"
      class="ta-newsletters__opt-in__input" data-field="opt-in"><span class="ta-newsletters__opt-in__label">By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.</span></label>
  <span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="opt-in">This field is required</span>
  <div class="ta-newsletter-button-wrap wp-block-buttons wp-block-button"><button class="wp-block-newsletters-button wp-block-button__link wp-element-button" style="margin-top:var(--wp--preset--spacing--40)">Sign up</button></div>
</form>

Text Content

___



WE VALUE YOUR PRIVACY

We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised advertising and content, advertising and
content measurement, audience research and services development. With your
permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
1419 partners’ processing as described above. Alternatively you may access more
detailed information and change your preferences before consenting or to refuse
consenting. Please note that some processing of your personal data may not
require your consent, but you have a right to object to such processing. Your
preferences will apply to this website only. You can change your preferences or
withdraw your consent at any time by returning to this site and clicking the
"Privacy" button at the bottom of the webpage.
MORE OPTIONSAGREE
 * Facebook
 * LinkedIn
 * Twitter


Search
Search

 * Best Products
   * Cybersecurity Companies
   * Vulnerability Management
   * EDR
   * NGFW
   * IAM
   * CASB
   * Intrusion Detection and Prevention
   * Threat Intelligence
   * SIEM
   * Network Access Control
   * UEBA
   * Governance, Risk & Compliance
   * Web Application Firewall
 * Networks
   * What is Network Security?
   * How to Secure a Network
   * Network Security Threats
   * Network Security Tools
 * Cloud
 * Threats
 * Trends
 * Endpoint
 * Applications
 * Compliance

Search
Search



DECEPTIVE GOOGLE MEET INVITES LURES USERS INTO MALWARE SCAMS

Sunny Yadav

October 22, 2024
 * Facebook
 * X
 * LinkedIn
 * Email
 * Print

eSecurity Planet content and product recommendations are editorially
independent. We may make money when you click on links to our partners. Learn
More.

The reliance on virtual meetings has skyrocketed after the pandemic, making
platforms like Google Meet and Zoom integral to our daily personal and
professional communication. However, this surge in usage has also opened the
door to a growing array of cybersecurity threats. One of the most concerning
tactics currently on the rise is the ClickFix campaign — a sophisticated
phishing scheme targeting unsuspecting Google Meet users.

These malware scams lure individuals with fake conference invitations designed
to mimic legitimate meeting requests and exploit users’ trust. By understanding
how these ClickFix campaigns operate and recognizing their warning signs, you
can protect yourself and your organization from falling victim to this
increasingly prevalent threat.


WHAT ARE CLICKFIX CAMPAIGNS?

ClickFix campaigns represent a new wave of phishing tactics that emerged in May
2024, aimed at exploiting users of popular software applications. Initially,
these campaigns focused on impersonating errors related to well-known programs
like Google Chrome, Microsoft Word, and OneDrive.

Cybercriminals employ social engineering techniques to trick you into believing
you must resolve fictitious technical issues. By disguising their malicious
intents as urgent fixes, these attackers have found a way to deceive even the
most cautious users.

The hallmark of ClickFix campaigns is their clever use of social engineering.

 * Scammers craft messages that appear to originate from legitimate sources,
   often claiming that you need to address critical errors in their
   applications.
 * These messages can range from vague prompts to elaborate narratives about
   connectivity issues or software failures.
 * You are then guided to execute PowerShell code designed to “fix” the supposed
   problem, unwittingly allowing malware to infiltrate their systems.


THE ANATOMY OF A CLICKFIX ATTACK

The ClickFix campaign takes advantage of the wide adoption of Google Meet,
sending fake meeting invitations that closely resemble legitimate Google Meet
links. These fraudulent invitations often appear to come from trusted sources,
enticing users with promises of important work meetings or conferences.

You may encounter URLs that look almost identical to official Google Meet links,
such as:

 * meet[.]google[.]us-join[.]com
 * meet[.]googie[.]com-join[.]us
 * meet[.]google[.]com-join[.]us
 * meet[.]google[.]web-join[.]com
 * meet[.]google[.]webjoining[.]com
 * meet[.]google[.]cdm-join[.]us
 * meet[.]google[.]us07host[.]com
 * Googiedrivers[.]com
 * hxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj
 * hxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh
 * hxxps://meet[.]google[.]us07host[.]com/coc-btru-ays
 * hxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa

This careful replication of legitimate URLs is a key tactic scammers use to
lower users’ defenses, making them more likely to click without verifying the
source.


THE INFECTION PROCESS

Once you click on the fraudulent link, you are directed to a fake Google Meet
page, where you may be greeted with a pop-up message claiming there is a
technical issue — often related to your microphone or headset. 

When you click on the “Try Fix” button, you are guided through a deceptive
process involving copying a piece of PowerShell code. The code is presented as a
necessary step to resolve the supposed issue, but instead, it opens the door for
malware installation. By pasting the code into the Windows Command Prompt, you
unknowingly execute commands that download malicious software onto your system.


TYPES OF MALWARE DELIVERED

The ClickFix campaigns are not just a nuisance; they can lead to severe security
breaches. The malware deployed through these attacks includes a variety of
malicious software, such as:

 * DarkGate: A versatile remote access trojan (RAT) that allows attackers to
   gain control of infected systems.
 * AMOS stealer: Specifically targets macOS systems, stealing sensitive data and
   credentials.
 * Lumma stealer: Designed to harvest personal information and sensitive data
   from infected devices.
 * Matanbuchus and XMRig: Used for cryptocurrency mining, these malware strains
   can slow down systems while surreptitiously utilizing computing resources.


RECENT TRENDS AND EVOLUTION

Recent reports from cybersecurity firms, including McAfee and Sekoia, indicate a
significant uptick in ClickFix campaigns, particularly in regions like the
United States and Japan. The convenience of digital communication and the
increased volume of meetings have made it easier for phishing attempts to slip
through the cracks.

 * Cybercriminals are not resting on their laurels; they are continuously
   adapting their strategies to remain effective. 
 * The ClickFix campaigns have diversified their tactics, expanding beyond
   Google Meet to include other platforms like Zoom, and targeting users of
   various popular applications and services.
 * Recent campaigns have been reported to involve phishing emails targeting
   transport and logistics firms, showcasing the attackers’ efforts to tailor
   their approaches to different industries.

Additionally, two notable threat actor groups — Slavic Nation Empire (SNE) and
Scamquerteo — have been linked to these campaigns. These groups are considered
sub-teams of larger cryptocurrency scam networks, highlighting the organized and
systematic nature of these phishing attacks.


PROTECTING YOURSELF FROM CLICKFIX ATTACKS

Awareness is the first line of defense against phishing scams like ClickFix.
Here are some tips to help you identify potential phishing attempts:

 * Scrutinize email addresses: Always check the sender’s email address for
   inconsistencies. Legitimate organizations typically use official domains. If
   something looks off, it’s worth investigating further.
 * Examine links carefully: Hover over links to reveal the actual URL before
   clicking. Avoid clicking if the link seems suspicious or does not match the
   expected domain (e.g., a slight misspelling).
 * Look for red flags: Pay attention to urgent language or unusual requests,
   such as prompting you to resolve technical issues or execute commands.
   Legitimate companies rarely ask users to run scripts or share sensitive
   information via email.


IMPLEMENTING SECURITY MEASURES

Taking proactive steps can significantly reduce your risk of falling victim to
ClickFix attacks:

 * Use updated security software: Ensure your antivirus and anti-malware
   programs are up-to-date. These tools can help detect and block malicious
   activities before compromising your system.
 * Enable multi-factor authentication (MFA): Implementing MFA adds layer of
   security to your accounts. Even if your credentials are compromised,
   attackers will face an extra hurdle in accessing your accounts.
 * Regularly back up your data: Frequent backups can safeguard your information
   against ransomware attacks and malware infections. In an attack, you can
   restore your system without losing critical files.


BEST PRACTICES FOR VIRTUAL MEETINGS

To ensure a safer virtual meeting experience, follow these best practices:

 * Verify meeting invitations: Only use links from trusted sources or known
   contacts. If you receive a meeting invitation unexpectedly, confirm it with
   the sender through a different communication method before joining.
 * Adjust security settings: Use the security features provided by your video
   conferencing platform. Options like waiting rooms and password-protected
   meetings can help prevent unauthorized access.
 * Educate your team: If you’re part of an organization, conduct regular
   cybersecurity training sessions to keep employees informed about the latest
   phishing tactics and encourage a culture of cybersecurity awareness.

Protect yourself by choosing a reliable anti-malware solution that fits your
needs. Investing in quality anti-malware can provide essential safeguards
against these types of threats and help keep your devices secure.

Previous article

5 Best Rootkit Scanners and Removers: Anti-Rootkit Tools

Next article


Sunny Yadav
Sunny is a contributing writer for eSecurity Planet with a bachelor’s degree in
technology and years of experience writing for reputed cybersecurity
publications. He mostly writes about cyberattacks, cryptography, data
protection, and threats and vulnerabilities. Sunny also covers security policies
and governance along with endpoint and mobile security. When he’s not burning
the midnight oil, you can find Sunny cleaning his house, shopping for things he
doesn’t need, or harassing his friends to read The Wheel of Time.




SUBSCRIBE TO CYBERSECURITY INSIDER

Strengthen your organization’s IT security defenses by keeping abreast of the
latest cybersecurity news, solutions, and best practices.

This field is required By registering, you agree to the Terms of Use and
acknowledge the data practices outlined in the Privacy Policy. You may
unsubscribe from these newsletters at any time. This field is required
Subscribe

Table of Contents

Toggle
 * What Are ClickFix Campaigns?
 * The Anatomy of a ClickFix Attack
 * Recent Trends and Evolution
 * Protecting Yourself From ClickFix Attacks


TOP CYBERSECURITY COMPANIES

1

MANAGEENGINE LOG360

--------------------------------------------------------------------------------

2

DASHLANE

--------------------------------------------------------------------------------

3

MANAGEENGINE DESKTOP CENTRAL

--------------------------------------------------------------------------------

See Full List

--------------------------------------------------------------------------------


GET THE FREE NEWSLETTER

Subscribe to Cybersecurity Insider for top news, trends & analysis

This field is required By signing up to receive our newsletter, you agree to our
Terms of Use and Privacy Policy. This field is required
Sign up






RELATED ARTICLES

 * TOP 9 TRENDS IN CYBERSECURITY CAREERS FOR 2025
   
   Trends
   October 18, 2024

 * AMERICAN WATER SHUTS DOWN SERVICES AFTER CYBERSECURITY BREACH
   
   Trends
   October 15, 2024

 * CHINESE HACKERS BREACH US WIRETAPPING DATA, EXPOSE VULNERABILITIES
   
   Trends
   October 8, 2024

--------------------------------------------------------------------------------


GET THE FREE CYBERSECURITY NEWSLETTER

Strengthen your organization’s IT security defenses with the latest news,
solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required By signing up to receive our newsletter, you agree to our
Terms of Use and Privacy Policy. You can unsubscribe at any time. This field is
required
Sign up



 * LinkedIn
 * Facebook
 * Twitter

eSecurity Planet is a leading resource for IT professionals at large enterprises
who are actively researching cybersecurity vendors and latest trends. eSecurity
Planet focuses on providing instruction for how to approach common security
challenges, as well as informational deep-dives about advanced cybersecurity
topics.

 * Advertise with Us
 * Terms & Conditions
 * Privacy Policy
 * Contact Us
 * California – Do Not Sell My Info

© 2024 TechnologyAdvice. All Rights Reserved.

--------------------------------------------------------------------------------

 * TechnologyAdvice
 * TechRepublic
 * eWeek
 * Datamation
 * Channel Insider
 * DZone

×


 
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word

mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1