「ClickFix」 Attack Upgrade: Hacker Impersonates VC and Hijacks Browser Extension to Steal Crypto Assets

BlockBeats News, March 3rd, Network security institution Moonlock Lab reported that crypto hackers have recently upgraded the "ClickFix" attack method, starting to impersonate venture capital firms, contacting target users through social platforms, and inducing them to execute malicious code to steal crypto assets.

The attackers disguised themselves as fake VC firms such as SolidBit, MegaBit, Lumax Capital, etc., sent partnership invitations through LinkedIn, and guided victims to fake Zoom or Google Meet meeting links. A fake Cloudflare "I'm not a robot" verification button is embedded on the page. When clicked, malicious commands are copied to the clipboard and users are induced to paste and execute them in the terminal to complete the attack. Researchers pointed out that this method bypasses traditional security defenses by "having the victims execute commands themselves."

Meanwhile, hackers also hijacked browser extension programs to carry out attacks. John Tuckner, founder of cybersecurity company Annex Security, revealed that the Chrome extension QuickLens, after a change of ownership on February 1st, released a new version containing malicious scripts two weeks later, triggering the ClickFix attack and stealing user data. The extension had about 7,000 users and has now been removed from the store.

The report stated that the hijacked extension would scan for crypto wallet data and mnemonic phrases, and collect Gmail email content, YouTube channel data, and web login or payment information.