The ClickFix social engineering tactic as an initial access vector using fake CAPTCHA verifications increased by 517% between the second half of 2024 and the first half of this year, according to data from ESET.
“The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” Jiří Kropáč, Director of Threat Prevention Labs at ESET, said.
ClickFix has become a widely popular and deceptive method that employs bogus error messages or CAPTCHA verification checks to deceive victims into copying and pasting a malicious script into either the Windows Run dialog or the Apple macOS Terminal app, and running it.
The Slovak cybersecurity company said the highest volume of ClickFix detections is concentrated around Japan, Peru, Poland, Spain, and Slovakia.
The prevalence and effectiveness of this attack method have led to threat actors advertising builders that provide other attackers with ClickFix-weaponized landing pages, ESET added.
From ClickFix to FileFix
The development comes as security researcher mrd0x demonstrated a proof-of-concept (PoC) alternative to ClickFix named FileFix that works by tricking users into copying and pasting a file path into Windows File Explorer.
The technique essentially involves achieving the same as ClickFix but in a different manner by combining File Explorer’s ability to execute operating system commands through the address bar with a web browser’s file upload feature.
In the attack scenario devised by the researcher, a threat actor may devise a phishing page that, instead of displaying a fake CAPTCHA check to the prospective target, presents a message stating a document has been shared with them and that they need to copy and paste the file path on the address bar by pressing CTRL + L.
The phishing page also includes a prominent “Open File Explorer” that, upon clicking, opens the File Explorer and copies a malicious PowerShell command to the user’s clipboard. Thus, when the victim pastes the “file path,” the attacker’s command is executed instead.
This, in turn, is achieved by altering the copied file path to prepend the PowerShell command before it followed by adding spaces to hide it from view and a pound sign (“#”) to treat the fake file path as a comment: “Powershell.exe -c ping example.com<space># C:\<path_to_file>\decoy.doc“
“Additionally, our PowerShell command will concatenate the dummy file path after a comment in order to hide the command and show the file path instead,” mrd0x said.
Phishing Campaigns Galore
The surge in ClickFix campaigns also coincides with the discovery of various phishing campaigns that –
- Leverage a .gov domain to send phishing emails that masquerade as unpaid toll to take users to bogus pages that are designed to collect their personal and financial information
- long-lived domains (LLDs), a technique called strategic domain aging, to either host or use them to redirect users to custom CAPTCHA check pages, completing which they are led to spoofed Microsoft Teams pages to steal their Microsoft account credentials
- Distribute malicious Windows shortcut (LNK) files within ZIP archives to launch PowerShell code responsible for deploying Remcos RAT
- Employ lures which supposedly warn users that their mailbox is almost full and that they need to “clear storage” by clicking a button embedded in the message, performing which takes the user to a phishing page hosted on IPFS that steals users email credentials. Interestingly, the emails also include a RAR archive attachment that, once extracted and executed, drops the XWorm malware.
- Incorporate a URL that lets to a PDF document, which, in turn, contains another URL that drops a ZIP archive, which includes an executable responsible for launching an AutoIT-based Lumma Stealer
- Weaponize a legitimate front-end platform called Vercel to host bogus sites that propagate a malicious version of LogMeIn to gain full control over victims’ machines
- Impersonate U.S. state Departments of Motor Vehicles (DMVs) to send SMS messages about unpaid toll violations and redirect recipients to deceptive sites that harvest personal information and credit card details
- Utilize SharePoint-themed emails to redirect users to credential harvesting pages hosted on “*.sharepoint[.]com” domains that siphon users’ Microsoft account passwords.
“Emails containing SharePoint links are less likely to be flagged as malicious or phishing by EDR or antivirus software. Users also tend to be less suspicious, believing Microsoft links are inherently safer,” CyberProof said.
“Since phishing pages are hosted on SharePoint, they are often dynamic and accessible only through a specific link for a limited time, making them harder for automated crawlers, scanners, and sandboxes to detect.”
