A combination of propagation methods, narrative sophistication, and evasion techniques enabled the social engineering tactic known as ClickFix to take off the way it did over the past year, according to new findings from Guardio Labs.
“Like a real-world virus variant, this new ‘ClickFix‘ strain quickly outpaced and ultimately wiped out the infamous fake browser update scam that plagued the web just last year,” security researcher Shaked Chen said in a report shared with The Hacker News.
“It did so by removing the need for file downloads, using smarter social engineering tactics, and spreading through trusted infrastructure. The result – a wave of infections ranging from mass drive-by attacks to hyper-targeted spear-phishing lures.”
ClickFix is the name given to a social engineering tactic where prospective targets are deceived into infecting their own machines under the guise of fixing a non-existent issue or a CAPTCHA verification. It was first detected in the wild in early 2024.
In these attacks, infection vectors as diverse as phishing emails, drive-by downloads, malvertising, and search engine optimization (SEO) poisoning are employed to direct users to fake pages that display the error messages.
These messages have one goal: Guide victims to follow a series of steps that cause a covertly copied malicious command to their clipboard to be executed when pasted on the Windows Run dialog box or the Terminal app, in the case of Apple macOS.
The nefarious command, in turn, triggers the execution of a multi-stage sequence that results in the deployment of various kinds of malware, such as stealers, remote access trojans, and loaders, underscoring the flexibility of the threat.
The tactic has become so effective and potent that it has led to what Guardio calls a CAPTCHAgeddon, with both cybercriminal and nation-state actors wielding it in dozens of campaigns in a short span of time.
ClickFix is a more stealthy mutation of ClearFake, which involves leveraging compromised WordPress sites to serve fake browser update pop-ups that, in turn, deliver stealer malware. ClearFake subsequently went on to incorporate advanced evasion tactics like EtherHiding to conceal the next-stage payload using Binance’s Smart Chain (BSC) contracts.
Guardio said the evolution of ClickFix and its success is the result of constant refinement in terms of propagation vectors, the diversification of the lures and messaging, and the different methods used to get ahead of the detection curve, so much so that it ultimately supplanted ClearFake.
“Early prompts were generic, but they quickly became more persuasive, adding urgency or suspicion cues,” Chen said. “These tweaks increased compliance rates by exploiting basic psychological pressure.”
Some of the notable ways the attack approach has adapted include the abuse of Google Scripts to host the fake CAPTCHA flows, thereby leveraging the trust associated with Google’s domain, as well as embedding the payload within legitimate-looking file sources like socket.io.min.js.
“This chilling list of techniques – obfuscation, dynamic loading, legitimate-looking files, cross-platform handling, third-party payload delivery, and abuse of trusted hosts like Google – demonstrates how threat actors have continuously adapted to avoid detection,” Chen added.
“It is a stark reminder that these attackers are not just refining their phishing lures or social engineering tactics but are investing heavily in technical methods to ensure their attacks remain effective and resilient against security measures.”
