www.esecurityplanet.com
Open in
urlscan Pro
2a04:4e42:200::347
Public Scan
URL:
https://www.esecurityplanet.com/trends/google-meet-invites-lure-users-into-malware-scam/
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_47842352 Search All
Submission: On October 24 via api from GB — Scanned from GB
Submission Tags: @nominet_threat_intel feedly-filtered-v1.0 reference_article_link confidence_null cluster_47842352 Search All
Submission: On October 24 via api from GB — Scanned from GB
Form analysis
5 forms found in the DOMGET https://www.esecurityplanet.com/
<form role="search" method="get" action="https://www.esecurityplanet.com/" class="wp-block-search__button-inside wp-block-search__text-button is-style-esplanet-nav-search wp-block-search"><label class="wp-block-search__label screen-reader-text"
for="wp-block-search__input-1">Search</label>
<div class="wp-block-search__inside-wrapper " style="width: 100%"><input class="wp-block-search__input has-small-font-size" id="wp-block-search__input-1" placeholder="Search..." value="" type="search" name="s" required=""><button
aria-label="Search" class="wp-block-search__button has-background has-esplanet-purple-background-color has-small-font-size wp-element-button" type="submit">Search</button></div>
</form>
GET https://www.esecurityplanet.com/
<form role="search" method="get" action="https://www.esecurityplanet.com/" class="wp-block-search__button-inside wp-block-search__text-button is-style-esplanet-nav-search wp-block-search"><label class="wp-block-search__label screen-reader-text"
for="wp-block-search__input-3">Search</label>
<div class="wp-block-search__inside-wrapper " style="width: 100%"><input class="wp-block-search__input has-small-font-size" id="wp-block-search__input-3" placeholder="Search..." value="" type="search" name="s" required=""><button
aria-label="Search" class="wp-block-search__button has-background has-esplanet-purple-background-color has-small-font-size wp-element-button" type="submit">Search</button></div>
</form>
<form data-position="banner" data-endpoint="https://newsletters.esecurityplanet.com" data-newsletters="cybersecurity-insider" class="wp-block-newsletters-cta"><input
style="border-radius:8px;border-width:1px; padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:0.75rem;padding-right:0.75rem; min-height:50px;"
class="wp-block-newsletters-email-input wp-container-content-1" type="email" placeholder="Enter an email" data-field="email">
<span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="email">This field is required</span>
<label class="wp-block-newsletters-opt-in ta-newsletters__opt-in" style="margin-top:var(--wp--preset--spacing--40);--ta-newsletters__opt-in__display:flex;--ta-newsletters__opt-in__background:var(--wp--preset--color--primary)"><input type="checkbox"
class="ta-newsletters__opt-in__input" data-field="opt-in"><span class="ta-newsletters__opt-in__label">By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You may unsubscribe from
these newsletters at any time.</span></label>
<span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="opt-in">This field is required</span>
<div class="ta-newsletter-button-wrap wp-block-buttons wp-block-button"><button class="wp-block-newsletters-button layout-banner__btn wp-block-button__link wp-element-button" style="margin-top:var(--wp--preset--spacing--40)">Subscribe</button>
</div>
</form>
<form data-position="sidebar" data-endpoint="https://newsletters.esecurityplanet.com" data-newsletters="cybersecurity-insider" class="wp-block-newsletters-cta"><input
style="border-radius:8px;border-width:1px; padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:0.75rem;padding-right:0.75rem; min-height:50px;"
class="wp-block-newsletters-email-input wp-container-content-2" type="email" placeholder="Enter an email" data-field="email">
<span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="email">This field is required</span>
<label class="wp-block-newsletters-opt-in ta-newsletters__opt-in" style="margin-top:var(--wp--preset--spacing--40);--ta-newsletters__opt-in__display:flex;--ta-newsletters__opt-in__background:var(--wp--preset--color--primary)"><input type="checkbox"
class="ta-newsletters__opt-in__input" data-field="opt-in"><span class="ta-newsletters__opt-in__label">By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy.</span></label>
<span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="opt-in">This field is required</span>
<div class="ta-newsletter-button-wrap wp-block-buttons wp-block-button"><button class="wp-block-newsletters-button wp-block-button__link wp-element-button" style="margin-top:var(--wp--preset--spacing--40)">Sign up</button></div>
</form>
<form data-position="modal" data-endpoint="https://newsletters.esecurityplanet.com" data-newsletters="cybersecurity-insider" class="wp-block-newsletters-cta"><input
style="border-radius:8px;border-width:1px; padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40);padding-left:0.75rem;padding-right:0.75rem; min-height:50px;"
class="wp-block-newsletters-email-input wp-container-content-4" type="email" placeholder="Enter an email" data-field="email">
<span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="email">This field is required</span>
<label class="wp-block-newsletters-opt-in ta-newsletters__opt-in" style="margin-top:var(--wp--preset--spacing--40);--ta-newsletters__opt-in__display:flex;--ta-newsletters__opt-in__background:var(--wp--preset--color--primary)"><input type="checkbox"
class="ta-newsletters__opt-in__input" data-field="opt-in"><span class="ta-newsletters__opt-in__label">By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time.</span></label>
<span class="wp-block-newsletters-validation-error ta-newsletters__validation-error" data-field-validation="opt-in">This field is required</span>
<div class="ta-newsletter-button-wrap wp-block-buttons wp-block-button"><button class="wp-block-newsletters-button wp-block-button__link wp-element-button" style="margin-top:var(--wp--preset--spacing--40)">Sign up</button></div>
</form>
Text Content
___ WE VALUE YOUR PRIVACY We and our partners store and/or access information on a device, such as cookies and process personal data, such as unique identifiers and standard information sent by a device for personalised advertising and content, advertising and content measurement, audience research and services development. With your permission we and our partners may use precise geolocation data and identification through device scanning. You may click to consent to our and our 1419 partners’ processing as described above. Alternatively you may access more detailed information and change your preferences before consenting or to refuse consenting. Please note that some processing of your personal data may not require your consent, but you have a right to object to such processing. Your preferences will apply to this website only. You can change your preferences or withdraw your consent at any time by returning to this site and clicking the "Privacy" button at the bottom of the webpage. MORE OPTIONSAGREE * Facebook * LinkedIn * Twitter Search Search * Best Products * Cybersecurity Companies * Vulnerability Management * EDR * NGFW * IAM * CASB * Intrusion Detection and Prevention * Threat Intelligence * SIEM * Network Access Control * UEBA * Governance, Risk & Compliance * Web Application Firewall * Networks * What is Network Security? * How to Secure a Network * Network Security Threats * Network Security Tools * Cloud * Threats * Trends * Endpoint * Applications * Compliance Search Search DECEPTIVE GOOGLE MEET INVITES LURES USERS INTO MALWARE SCAMS Sunny Yadav October 22, 2024 * Facebook * X * LinkedIn * Email * Print eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. The reliance on virtual meetings has skyrocketed after the pandemic, making platforms like Google Meet and Zoom integral to our daily personal and professional communication. However, this surge in usage has also opened the door to a growing array of cybersecurity threats. One of the most concerning tactics currently on the rise is the ClickFix campaign — a sophisticated phishing scheme targeting unsuspecting Google Meet users. These malware scams lure individuals with fake conference invitations designed to mimic legitimate meeting requests and exploit users’ trust. By understanding how these ClickFix campaigns operate and recognizing their warning signs, you can protect yourself and your organization from falling victim to this increasingly prevalent threat. WHAT ARE CLICKFIX CAMPAIGNS? ClickFix campaigns represent a new wave of phishing tactics that emerged in May 2024, aimed at exploiting users of popular software applications. Initially, these campaigns focused on impersonating errors related to well-known programs like Google Chrome, Microsoft Word, and OneDrive. Cybercriminals employ social engineering techniques to trick you into believing you must resolve fictitious technical issues. By disguising their malicious intents as urgent fixes, these attackers have found a way to deceive even the most cautious users. The hallmark of ClickFix campaigns is their clever use of social engineering. * Scammers craft messages that appear to originate from legitimate sources, often claiming that you need to address critical errors in their applications. * These messages can range from vague prompts to elaborate narratives about connectivity issues or software failures. * You are then guided to execute PowerShell code designed to “fix” the supposed problem, unwittingly allowing malware to infiltrate their systems. THE ANATOMY OF A CLICKFIX ATTACK The ClickFix campaign takes advantage of the wide adoption of Google Meet, sending fake meeting invitations that closely resemble legitimate Google Meet links. These fraudulent invitations often appear to come from trusted sources, enticing users with promises of important work meetings or conferences. You may encounter URLs that look almost identical to official Google Meet links, such as: * meet[.]google[.]us-join[.]com * meet[.]googie[.]com-join[.]us * meet[.]google[.]com-join[.]us * meet[.]google[.]web-join[.]com * meet[.]google[.]webjoining[.]com * meet[.]google[.]cdm-join[.]us * meet[.]google[.]us07host[.]com * Googiedrivers[.]com * hxxps://meet[.]google[.]com-join[.]us/wmq-qcdn-orj * hxxps://meet[.]google[.]us-join[.]com/ywk-batf-sfh * hxxps://meet[.]google[.]us07host[.]com/coc-btru-ays * hxxps://meet[.]google[.]webjoining[.]com/exw-jfaj-hpa This careful replication of legitimate URLs is a key tactic scammers use to lower users’ defenses, making them more likely to click without verifying the source. THE INFECTION PROCESS Once you click on the fraudulent link, you are directed to a fake Google Meet page, where you may be greeted with a pop-up message claiming there is a technical issue — often related to your microphone or headset. When you click on the “Try Fix” button, you are guided through a deceptive process involving copying a piece of PowerShell code. The code is presented as a necessary step to resolve the supposed issue, but instead, it opens the door for malware installation. By pasting the code into the Windows Command Prompt, you unknowingly execute commands that download malicious software onto your system. TYPES OF MALWARE DELIVERED The ClickFix campaigns are not just a nuisance; they can lead to severe security breaches. The malware deployed through these attacks includes a variety of malicious software, such as: * DarkGate: A versatile remote access trojan (RAT) that allows attackers to gain control of infected systems. * AMOS stealer: Specifically targets macOS systems, stealing sensitive data and credentials. * Lumma stealer: Designed to harvest personal information and sensitive data from infected devices. * Matanbuchus and XMRig: Used for cryptocurrency mining, these malware strains can slow down systems while surreptitiously utilizing computing resources. RECENT TRENDS AND EVOLUTION Recent reports from cybersecurity firms, including McAfee and Sekoia, indicate a significant uptick in ClickFix campaigns, particularly in regions like the United States and Japan. The convenience of digital communication and the increased volume of meetings have made it easier for phishing attempts to slip through the cracks. * Cybercriminals are not resting on their laurels; they are continuously adapting their strategies to remain effective. * The ClickFix campaigns have diversified their tactics, expanding beyond Google Meet to include other platforms like Zoom, and targeting users of various popular applications and services. * Recent campaigns have been reported to involve phishing emails targeting transport and logistics firms, showcasing the attackers’ efforts to tailor their approaches to different industries. Additionally, two notable threat actor groups — Slavic Nation Empire (SNE) and Scamquerteo — have been linked to these campaigns. These groups are considered sub-teams of larger cryptocurrency scam networks, highlighting the organized and systematic nature of these phishing attacks. PROTECTING YOURSELF FROM CLICKFIX ATTACKS Awareness is the first line of defense against phishing scams like ClickFix. Here are some tips to help you identify potential phishing attempts: * Scrutinize email addresses: Always check the sender’s email address for inconsistencies. Legitimate organizations typically use official domains. If something looks off, it’s worth investigating further. * Examine links carefully: Hover over links to reveal the actual URL before clicking. Avoid clicking if the link seems suspicious or does not match the expected domain (e.g., a slight misspelling). * Look for red flags: Pay attention to urgent language or unusual requests, such as prompting you to resolve technical issues or execute commands. Legitimate companies rarely ask users to run scripts or share sensitive information via email. IMPLEMENTING SECURITY MEASURES Taking proactive steps can significantly reduce your risk of falling victim to ClickFix attacks: * Use updated security software: Ensure your antivirus and anti-malware programs are up-to-date. These tools can help detect and block malicious activities before compromising your system. * Enable multi-factor authentication (MFA): Implementing MFA adds layer of security to your accounts. Even if your credentials are compromised, attackers will face an extra hurdle in accessing your accounts. * Regularly back up your data: Frequent backups can safeguard your information against ransomware attacks and malware infections. In an attack, you can restore your system without losing critical files. BEST PRACTICES FOR VIRTUAL MEETINGS To ensure a safer virtual meeting experience, follow these best practices: * Verify meeting invitations: Only use links from trusted sources or known contacts. If you receive a meeting invitation unexpectedly, confirm it with the sender through a different communication method before joining. * Adjust security settings: Use the security features provided by your video conferencing platform. Options like waiting rooms and password-protected meetings can help prevent unauthorized access. * Educate your team: If you’re part of an organization, conduct regular cybersecurity training sessions to keep employees informed about the latest phishing tactics and encourage a culture of cybersecurity awareness. Protect yourself by choosing a reliable anti-malware solution that fits your needs. Investing in quality anti-malware can provide essential safeguards against these types of threats and help keep your devices secure. Previous article 5 Best Rootkit Scanners and Removers: Anti-Rootkit Tools Next article Sunny Yadav Sunny is a contributing writer for eSecurity Planet with a bachelor’s degree in technology and years of experience writing for reputed cybersecurity publications. He mostly writes about cyberattacks, cryptography, data protection, and threats and vulnerabilities. Sunny also covers security policies and governance along with endpoint and mobile security. When he’s not burning the midnight oil, you can find Sunny cleaning his house, shopping for things he doesn’t need, or harassing his friends to read The Wheel of Time. SUBSCRIBE TO CYBERSECURITY INSIDER Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. This field is required By registering, you agree to the Terms of Use and acknowledge the data practices outlined in the Privacy Policy. You may unsubscribe from these newsletters at any time. This field is required Subscribe Table of Contents Toggle * What Are ClickFix Campaigns? * The Anatomy of a ClickFix Attack * Recent Trends and Evolution * Protecting Yourself From ClickFix Attacks TOP CYBERSECURITY COMPANIES 1 MANAGEENGINE LOG360 -------------------------------------------------------------------------------- 2 DASHLANE -------------------------------------------------------------------------------- 3 MANAGEENGINE DESKTOP CENTRAL -------------------------------------------------------------------------------- See Full List -------------------------------------------------------------------------------- GET THE FREE NEWSLETTER Subscribe to Cybersecurity Insider for top news, trends & analysis This field is required By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. This field is required Sign up RELATED ARTICLES * TOP 9 TRENDS IN CYBERSECURITY CAREERS FOR 2025 Trends October 18, 2024 * AMERICAN WATER SHUTS DOWN SERVICES AFTER CYBERSECURITY BREACH Trends October 15, 2024 * CHINESE HACKERS BREACH US WIRETAPPING DATA, EXPOSE VULNERABILITIES Trends October 8, 2024 -------------------------------------------------------------------------------- GET THE FREE CYBERSECURITY NEWSLETTER Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday This field is required By signing up to receive our newsletter, you agree to our Terms of Use and Privacy Policy. You can unsubscribe at any time. This field is required Sign up * LinkedIn * Facebook * Twitter eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics. * Advertise with Us * Terms & Conditions * Privacy Policy * Contact Us * California – Do Not Sell My Info © 2024 TechnologyAdvice. All Rights Reserved. -------------------------------------------------------------------------------- * TechnologyAdvice * TechRepublic * eWeek * Datamation * Channel Insider * DZone × word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1