An attack that uses a fake Windows update screen to trick victims installing malware is trying to become even more effective by incorporating porn.
Earlier this month, we wrote about the attack, which has been appearing over malicious websites. Visiting them can trigger your browser to go into full-screen mode, mimicking the Windows update process. The fake update screen —which acts like scareware— will then try to manipulate the user into executing commands “to complete the update,” when in reality it’s a trick to secretly install malware.
On Tuesday, the cybersecurity vendor Acronis reported finding the fake Windows update screens popping up through sites impersonating xHamster and Pornhub.
(Acronis)
Acronis suspects the attack has been circulating through malicious ads, which can lead users to the fake porn sites as bait. The sites will present pornographic images that seem like a playable video. In other cases, the pornographic imagery will be blurred out while displaying a disclaimer, requiring the user to verify their age.
“Everything on the site is working to encourage the victim to press on the screen,” Acronis noted. But if a user clicks anywhere on the page, the site will trigger the fake Windows update screen.
(Acronis)
The fake blue screen then encourages the user to execute three seemingly simply step. The first involves pressing the Windows button together with the R key, which can open the run dialog box, a way to launch programs on a Windows PC. The next steps then call for pressing “CTRL+V” for the paste command, and then enter to run computer code from the hacker’s domain.
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Users who know little about keyboard commands or computers could fall for the scheme. If executed, the attack can download and install various forms of data-stealing malware, including Rhadamanthys, Vidar 2.0, RedLine, Amadey and other remote access Trojans that can enable the hacker to hijack a PC.
Fortunately, the attack is easy to defuse. “While in full screen, the user can still use the escape and F11 button,” which can shut down the full-screen mode, and tip off the nature of the attack, Acronis noted. No update is actually occurring; the malicious site is merely mimicking the Windows update screen through the browser by showing fake animations, including a progress bar.
Still, the fake Windows update represents a variation of the “ClickFix” technique, which has proven effective over the last year in tricking users to install malware including ransomware, according to cybersecurity researchers.
The technique revolves around duping the unsuspecting user into executing the manual commands “Windows +R”, “CTRL+V” and then hitting enter. Hackers have previously dressed up the attack method as online CAPTCHA screens or security alerts from Google Chrome or Facebook. But in recent weeks, security researchers have also spotted the technique manifesting itself as fake Windows updates.
As a result, Acronis is warning the public to watch out for Clickfix and its various iterations. “The format provides a huge amount of flexibility to the attacker, and allows them to not only present static images, but also videos and other elements that may improve their ability to socially engineer the victim,” the company warned. To protect yourself, know that no legitimate site or service will ask you to perform such commands on your computer.
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
