ClickFix Exploits Users with Fake Errors and Malicious Code
Summary:
ClickFix is a new social engineering tactic that uses deceptive error messages to prompt users into executing malicious code, allowing attackers to infiltrate their devices. Originally identified by Proofpoint and recently detailed by Sekoia’s Threat Detection & Research (TDR) team, this tactic—also known as ClearFake—tricks users into copying and running harmful PowerShell commands under the guise of resolving error notifications. Often targeting video conferencing platforms like Google Meet and Zoom, ClickFix lures users by mimicking familiar error alerts, making them believe they are fixing technical issues. As users attempt to troubleshoot these fabricated errors, they unknowingly activate commands that initiate malware downloads on their systems. Beyond video platforms, ClickFix also operates on fake CAPTCHA pages, which prompt users through steps that activate malicious code on both Windows and macOS devices.
ClickFix adapts its infection tactics based on the operating system. On macOS, users clicking on “fix it” prompts are guided through steps that automatically download malware in a .dmg format, making it appear as legitimate troubleshooting software. On Windows, ClickFix employs either malicious mshta or PowerShell commands. The mshta infections leverage VBScript embedded in HTML applications, while PowerShell commands run directly from user input. Often, these infections disguise their activities as legitimate Windows processes, such as Explorer.exe, making them difficult to detect.
Security Officer Comments:
The ClickFix tactic also spreads through redirections on suspicious websites and GitHub, leading users to fake CAPTCHA pages that activate malware through a simple PowerShell script. These fake CAPTCHAs present a clean, unassuming interface, yet the embedded PowerShell code enables significant damage.
Suggested Corrections:
Detecting ClickFix requires specialized tools. The TDR team suggests monitoring for:
Link(s):
https://www.infosecurity-magazine.com/news/clickfix-fake-errors-malicious-code/
https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/
ClickFix is a new social engineering tactic that uses deceptive error messages to prompt users into executing malicious code, allowing attackers to infiltrate their devices. Originally identified by Proofpoint and recently detailed by Sekoia’s Threat Detection & Research (TDR) team, this tactic—also known as ClearFake—tricks users into copying and running harmful PowerShell commands under the guise of resolving error notifications. Often targeting video conferencing platforms like Google Meet and Zoom, ClickFix lures users by mimicking familiar error alerts, making them believe they are fixing technical issues. As users attempt to troubleshoot these fabricated errors, they unknowingly activate commands that initiate malware downloads on their systems. Beyond video platforms, ClickFix also operates on fake CAPTCHA pages, which prompt users through steps that activate malicious code on both Windows and macOS devices.
ClickFix adapts its infection tactics based on the operating system. On macOS, users clicking on “fix it” prompts are guided through steps that automatically download malware in a .dmg format, making it appear as legitimate troubleshooting software. On Windows, ClickFix employs either malicious mshta or PowerShell commands. The mshta infections leverage VBScript embedded in HTML applications, while PowerShell commands run directly from user input. Often, these infections disguise their activities as legitimate Windows processes, such as Explorer.exe, making them difficult to detect.
Security Officer Comments:
The ClickFix tactic also spreads through redirections on suspicious websites and GitHub, leading users to fake CAPTCHA pages that activate malware through a simple PowerShell script. These fake CAPTCHAs present a clean, unassuming interface, yet the embedded PowerShell code enables significant damage.
Suggested Corrections:
Detecting ClickFix requires specialized tools. The TDR team suggests monitoring for:
- PowerShell and bitsadmin processes, with mshta.exe as the parent process
- Command lines containing URLs, which may indicate a malicious download
- Network activities involving PowerShell connections to low-prevalence or suspicious domains
Link(s):
https://www.infosecurity-magazine.com/news/clickfix-fake-errors-malicious-code/
https://blog.sekoia.io/clickfix-tactic-revenge-of-detection/