Cybercriminals are increasingly conducting a type of social engineering technique dubbed ClickFix to gain persistent access to victims’ networks. ClickFix attacks involve social engineering to trick the victim into installing malware. ClickFix attacks were first identified in early 2024, and the use of this tactic has been increasing. These attacks take advantage of users’ desire to quickly resolve IT issues without having to inform their IT department. Resolving issues can take time, and usually involves raising a support ticket with the IT department. In ClickFix attacks, the threat actor warns the user about a fake IT issue, often providing some evidence of that issue, and offers a quick and easy solution.
The aim of these attacks is to trick the user into running a PowerShell command, which will ultimately deliver malware to their device. Campaigns have been conducted by threat actors distributing the Lumma information stealer, the Danabot banking trojan/information stealer, the AsyncRAT remote action trojan, and the DarkGate loader, although any number of malware variants could be delivered using this technique. Multiple threat groups have been observed using this technique.
The methods used to get the user to run the malicious PowerShell command are varied, with the deception occurring via email, the Internet, or a combination of the two. Threat actors have been observed conducting phishing ClickFix attacks involving emails with HTML attachments disguised as Microsoft Word documents. The attachments display a fake error message, the resolution of which requires copying and executing a malicious PowerShell command.
Malicious links have been distributed in phishing emails that direct users to sites impersonating software solutions such as Google Meet and PDFSimpli, the Chrome web browser, social media platforms such as Facebook, and transport and logistics companies. Threat actors also use stolen credentials to compromise websites where they create pop-ups, which appear when visitors land on the site warning them about a fictitious security issue. Fake CAPTCHA prompts are often used, where the user is told they must verify that they are human before being allowed to proceed. As part of the verification process, a command is copied to the clipboard, and the user is told to press the Windows key + R, then CTRL + V, and then enter, thus executing the script and triggering a malware download. Security researchers have identified multiple threat actors using this technique, including Russian espionage actors in targeted attacks on Ukrainian companies and many different financially motivated cybercriminal groups.
To defend against Clickfix attacks, businesses need to implement multiple mitigations to prevent these attacks from succeeding, the most important of which are security awareness training, an advanced spam filter, and a web filtering solution. Regular security awareness training should be conducted to improve understanding of the phishing and social engineering techniques used by threat actors, including specific training content to teach employees how to identify and avoid clickfix attacks. TitanHQ offers a comprehensive training platform called SafeTitan that allows businesses to easily create security awareness training programs tailored to individuals and user groups, and rapidly roll out additional training material when a new threat is identified. SafeTitan also includes a phishing simulator to test employee responses to simulated clickfix attacks.
An advanced spam filter is essential for blocking malicious emails. TitanHQ’s SpamTitan suite of solutions includes a spam filter for Office 365, a gateway spam filter, and the most popular choice, a cloud based anti spam service. SpamTitan conducts an extensive array of tests to identify spam and malicious emails, including reputation checks, checks of embedded hyperlinks, email sandbox behavioral analysis, and AI/machine learning to identify the threats that bypass many email security solutions. In recent tests, SpamTitan outperformed all other tested email security solutions with a 100% malware and phishing catch rate, and a 99.999% spam catch rate.
Web filtering solutions should be used to protect against the web-based component of clickfix attacks since initial contact is not always made via email. The WebTitan DNS filter prevents access to known malicious websites, such as the attacker-controlled webpages used in clickfix attacks. WebTitan can also prevent downloads of certain file extensions from the Internet and can also be used to control the categories of websites that employees can visit.
With regular security awareness training, email security, and web security delivered through SafeTitan SpamTitan, and WebTitan, businesses will be well protected from Clickfix attacks. Call TitanHQ today to find out more or take advantage of a free trial of these solutions.