New Google Chrome Warning: Copy-Paste Text At Your Own Risk

Security researchers have recently issued a warning to all Google Chrome users on Windows, following an increase in attacks that rely on a unique form of social engineering.

In recent weeks, researchers from cybersecurity firm Proofpoint say they’ve observed several threat actors using fake error messages to trick users into copying and pasting malicious PowerShell scripts into their Windows terminals, installing malware in the process.

“While the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” says Proofpoint researcher Selena Larson.

The attacks start with spam emails, Larson says. For example, one threat actor called TA571 has over the past few weeks sent hundreds of thousands of emails that claim a Word document attachment is broken and needs to be fixed.

“TA571 has sent over 100,000 email messages to thousands of organizations globally since March 1,” Larson tells TechCrunch. “While we don’t have insight into how many of these attacks were successful, it is likely the threat actors are seeing a decent infection rate given that they keep using this technique.”

The emails in another campaign from a different threat actor — ClearFake — contain an attachment that pretends to be a broken Microsoft Word or OneDrive file that needs to be fixed with a PowerShell command, according to Proofpoint.

“TA571 is an initial access broker that sends emails in bulk in an attempt to deliver malware for various cybercriminal customers,” Larson says. “After someone opens a malicious attachment and clicks to ‘fix’ the issue, the attack instructs the user to install a fake root certificate that in reality allows attacker-controlled sites to use unauthorized certificates and puts the victim at risk of man-in-the-middle attacks.”

The tactic used by TA571 is particularly insidious because it not only leads to malware infections but also opens victims up to further attacks by other cybercriminals, Larson says.

In addition to TA571 and ClearFake, another threat actor known as “ClickFix” is using a similar attack technique, Larson says.

In some cases, the PowerShell command that victims are tricked into running installs an MSI file, which results in the installation of malware including info stealers such as Vidar Stealer and clipboard hijackers such as XMRig, a cryptocurrency miner.

In other cases, the PowerShell command downloads and runs a VBS script, which installs more traditional malware including the backdoors DarkGate and NetSupport RAT.

Proofpoint says that it has observed over the past few weeks at least 12,000 infections in total across the world from the ClearFake, TA571 and ClickFix campaigns.

The attackers behind ClearFake and TA571 appear to have had some success in the U.S. in particular, likely due to the use of phishing emails that were “very convincing,” Larson says.

The fake error messages have been spotted on a variety of websites, including those of small and mid-sized organizations as well as high-traffic media sites, Proofpoint says. In some cases, the attackers exploited vulnerabilities in plugins and other software to compromise the sites, Larson says.