ChainCatcher reports that, according to Cointelegraph, hackers are using the "ClickFix" attack technique to steal cryptocurrency. The two latest attacks involve impersonating venture capital firms and hijacking browser extensions.
Cybersecurity firm Moonlock Lab reported that scammers impersonating fake venture capital firms such as SolidBit, MegaBit, and Lumax Capital contacted users via LinkedIn offering collaboration opportunities and then directing them to click on fake Zoom and Google Meet links. After clicking the links, users were redirected to a page with a fake Cloudflare "I'm not a bot" verification box. Clicking this box copied malicious commands to the clipboard and prompted the user to open their terminal and paste a purported verification code, thus executing the attack.
Moonlock Lab points out that this method turns victims into execution mechanisms, bypassing security industry defenses. Meanwhile, hackers also spread malware by hijacking the Chrome extension QuickLens. This extension allows users to run Google Lens searches directly in their browsers; after ownership was transferred, the new version contained malicious scripts that could launch ClickFix attacks and steal information.
This extension, used by approximately 7,000 users, would search encrypted wallet data and seed phrase to steal funds after being hijacked. It would also scrape Gmail inbox content, YouTube channel data, and login credentials or payment information entered into web forms. The extension has been removed from the Chrome Web Store. ClickFix technology, which has been popular among hackers since last year, forces victims to manually execute malicious payloads and has affected thousands of businesses and industries worldwide.
