There are many complex AI-fueled cyber attacks now targeting PC users — this is not one of them. But if you fall victim, it will still steal your credentials or hijack your device. Fortunately, staying safe is easy if you know what to look for. Unfortunately, many users still do not, and these attacks are spreading like wildfire.
We’re talking ClickFix, a popup message that tricks users to copying and pasting text which then runs a malicious PowerShell command. This will download and install malware onto your PC, while you still struggle in vain to access the meeting. The meeting invite is fake, the URL is fake, it’s all an attack.
This latest ClickFix warning comes courtesy of Sucuri, which says it “discovered an HTML file meticulously crafted to resemble the Google Meet interface. This fake Google Meet page doesn’t present a login form to steal credentials directly. Instead, it employs a social engineering tactic, presenting a fake ‘Microphone Permission Denied’ error and urging the user to copy and paste a specific PowerShell command as a ‘fix’.”
ClickFix is pure social engineering. Usually manifesting as scamware, tricking users into thinking their PC has failed and they need to install a fix, we are now seeing variations on the theme. While this Google Meet attack is fairly typical, we have also seen ruses to open protected files or access restricted websites. These malicious meeting invites use clever URLs which often include “google” and “join” in the text string.
According to Securi, this latest attack even displays a ‘Verification complete!’ message to the user. This is a social engineering tactic to reassure the victim that their action (which led to the execution of this script) was successful and legitimate, while the malicious operations continue in the background.”
Per Kaspersky, “The tactic was first seen in the spring of 2024. Since then, attackers have come up with a number of scenarios for its use. The scheme may differ slightly from case to case, but attackers typically give the victim the following instructions:
- click the button to copy the code that solves the problem;
- press the key combination [Win] + [R];
- press the combination [Ctrl] + [V];
- press [Enter].”
While the attack is just a ClickFix, Securi says “what makes this fake Google Meet file more dangerous than many we’ve seen is its self-contained nature: All styles, logos, and layouts are embedded; no external JavaScript files are called; no Google resources or analytics scripts are loaded. The attacker knew what they were doing, they created a file that looks completely harmless in source code, unless you look very closely.”
But you don’t need to. Regardless of the website or app you’re on, if you see a popup or CAPTCHA with that unmistakable instruction to open a Run window and then copy and paste in copied text it’s an attack. Every single time. Exit the app or website. Do not click anything. And delete whatever email, message or invite took you there in the first place.
As Securi says, this fake Google Meet “represents a significant threat vector where a seemingly simple action – copying and pasting a command can lead to a complete compromise of your computer. The attackers are betting on the users trust and their desire to quickly resolve a perceived technical issue.”