Cybercriminals compete in ingenuity to trap Internet users, and this time, it is through fake Google Meet invitations that malware is circulating. Behind these videoconferencing links lies a serious threat: malicious programs designed to steal sensitive data.
Fake Google Meet invitations used to spread malware
Mailboxes are currently being invaded by fake Google Meet invitations, a ploy aimed at installing malware on users’ computers, a real computer hacking trend in 2024. Seemingly legitimate, these invitations hide malicious software, mainly “infostealers “. These programs are designed to infiltrate a system and steal personal information, including login credentials and financial data.
This type of attack uses psychological manipulation techniques to trick victims into clicking on infected links. When receiving an email containing a link to a Google Meet meeting, many users let down their guard, believing it to be a legitimate videoconference request. However, behind these links, there are malicious programs waiting to be executed.
ClickFix: the method used by hackers
The method of operation of this new campaign is based on a method called ClickFix. This process uses fake pages imitating Google Meet and simulates technical errors related to the use of the platform. The pages then display error messages, indicating problems with users’ microphone or headset, and prompt them to click buttons such as “Try Fix.”
In reality, these buttons trigger the execution of a malicious script. On Windows, this leads to a malicious command being copied to the clipboard, while on macOS, a DMG file named “Launcher_v1.94” is downloaded. Victims are then tricked into executing these files or commands, allowing hackers to take control of the system and steal sensitive data.
Cybercriminal groups behind the attack
Research carried out by Sekoia, a specialist security company, identified the malware used in this campaign. On Windows, the attacks are carried out by Stealc and Rhadamanthys malware, while on macOS, AMOS Stealer is at work. All of these programs are infostealers, designed to collect sensitive information and transmit it to servers controlled by hackers.
Behind this operation, we find two groups of cybercriminals: Slavic Nation Empire (SNE) and Scamquerteo. These groups specialize in cryptocurrency theft, using malware to infiltrate user systems and steal digital funds. These groups belong to larger organizations called Marko Polo and CryptoLove, known for their illegal cryptocurrency activities.
Other platforms targeted by attacks
Although Google Meet is one of the main targets of this campaign, other platforms are also used to distribute this malware. Fake messages inviting people to join Zoom meetings or view documents through services like DocuLama and VerdaScript have also been reported. Hackers use multiple channels to trap Internet users, by imitating video game download sites or even Web3 browsers.
These attacks show the scale of threats that exist online. Each click on a suspicious link can lead to malware infiltration, hence the importance of remaining vigilant against this type of message.
How to avoid the pitfalls of fake invitations?
To protect yourself from these attacks, some precautionary measures are essential. First of all, it is recommended to check the legitimacy of the email addresses that send these invitations. Cybercriminals often use addresses that are very similar to those of official services, but careful examination can reveal anomalies.
In addition, instead of clicking directly on a link received by email, it is safer to manually go to the official website of the service concerned. By accessing Google Meet or any other platform via its official URL, you avoid falling into the trap of fake pages created by hackers.
Finally, when in doubt, it is best not to run files downloaded from an unsolicited invitation. Vigilance remains your best protection against this type of threat.
