ClickFix attacks: fake problems, fake fixes, real compromise

Cybercriminals love one thing above all else: getting you to click a button that gives them access to your account or device. A ClickFix attack is a modern version of social engineering that exploits your instinct to fix problems quickly. It starts by tricking you into clicking a button that’s framed as a “verify, “fix,” or “update” action. That click will trigger malware on your device or allow the attacker to take over your account.

At its core: they show you a fake problem, you click the “fix” they offer, and they gain access to your stuff.

How ClickFix attacks works

  1. You’re browsing a website, and you are shown a fake warning like so:
    • “Verification steps/verify you are human”
    • “Something went wrong when displaying this webpage”
    • “Your device is infected, click to clean”
  2. You are presented with a button that promises to fix everything. It may ask you to paste a command into the Terminal or command prompt.
  3. Clicking the button or pasting the command will start the attack.

How to avoid this attack

  • Watch out for:
    • Requests to open the Run, Terminal or Command Prompt
    • Claims that your system is infected, corrupted, or compromised
    • Instructions to copy and paste commands as a ‘fix’ or ‘verification’ action
  • Don’t click system warnings or update popups that appear in a browser window. Your operating system doesn’t use Chrome or Firefox to talk to you: if you can close the tab and it’s gone, it wasn’t real.
  • Keep software updated…. but from legitimate menus. If something says “your browser is out of date,” update it from your OS or the vendor’s website directly.
  • Use pop up blockers and an antivirus. These tools catch a lot of the sketchy popups before they even load, or stop the malicious command from executing.
  • When in doubt, don’t click. Contact the IT Service Desk.

Example
Below is an example of a ClickFix popup. Note the following:

  • It impersonates a “captcha” user verification
  • It asks you to open a Run dialog (Windows Key + R), which will ‘run’ any commands you paste into it.
  • It asks you to press ctrl+v, that is, paste a command into that run box.
  • Finally, it asks you to press ‘Enter’, which will Run the command that you pasted
    • You may be wondering, “wait, but I didn’t copy any commands, so where did the paste come from?” The malicious webpage that displayed this pop up also silently inserted a command into your clipboard in the background, without you knowing. That malicious command is what you will end up pasting and running on your system.

Final Thoughts: ClickFix attacks work because it’s tempting to trust buttons that promise easy solutions. They’re built to be quick, and cybercriminals count on you being too distracted, stressed, or rushed to think twice. Slow down. Verify first.

Comments are closed.