An inside look at a ClickFix campaign and a real-world attack, its next iteration (FileFix), and how to prevent it in its tracks, before device compromise.
ClickFix: Silent Copying to Clipboard
ClickFix, a deceptive social engineering tactic, is used by threat actors to manipulate unsuspecting users into unwittingly allowing a web page to silently populate the clipboard.
Ultimately, the attacker is attempting to get a user to (unknowingly) execute malicious code, gathered from the browser and quietly placed into the user’s clipboard, on the host machine.
Coined initially as “ClickFix” because the social engineering prompts were telling the user they ought to “fix” a problem with their browser and required the user to click an element, this term is now ascribed to any similar attack, one in which a user clicks an element, the page then populates the victim’s clipboard, and it instructs the user to paste the malicious code into their device’s terminal.
Images of a ClickFix attack disguised as a CAPTCHA prompt.
The above screenshots show an example ClickFix attack. Once the user clicks the fake CAPTCHA, the page silently populates the user’s clipboard with malicious code. It then displays instructions for the user to prove they are human—by pasting (the malicious code) into the Windows Run dialog.
For more information about ClickFix, see our article explaining the what, why, where, and how of ClickFix.
Stop ClickFix Attacks Where They Start: In the Browser Keep Aware, the purpose-built browser security platform, detects deceptive interactions in real time, right where they happen. By monitoring clipboard access patterns, flagging suspicious web pages, and disrupting lateral movement techniques like ClickFix, Keep Aware empowers organizations to shut down attacks before they ever leave the browser and reach the host. Request a Demo
Real-World Attack: Google Result to ClickFix Attempt
... continue reading