This Windows Update Screen Is Actually A Hacker's Trap

Don’t miss out on our latest stories. Add PCMag as a preferred source on Google.

A new attack is mimicking a Windows update to try and trick users into executing malicious commands, likely to install malware.

A cybersecurity researcher at the UK’s National Health Service, Daniel B., spotted the attack while investigating malicious online threats. It’s been running at the groupewadesecurity[.]com domain for the last month. Visiting the site seemingly triggers a PC or even a smartphone to display a full-blown blue screen dressed up like a Windows update, which urges the user to complete three more manual steps from their keyboard.

In reality, the blue screen is a trap from a hacker. The fake Windows update is merely being displayed from the internet domain, and abusing the Fullscreen application programming interface (API) in browsers to take over the entire screen space.

The fake update screen then encourages the user to press the Windows button together with the R key—a little-known function to open the run dialog box, a way to launch programs on a Windows PC. All the while it’ll copy malicious instructions to the user’s clipboard.

The fake update screen then instructs the user to press “CTRL + V”—the paste function—and then press enter. If a victim falls for the trick, they’ll unknowingly run a command, causing their Windows PC to execute computer code from the hacker’s malicious domain.

Other variations of ClickFix (Credit: KnowBe4)

The threat builds on the “ClickFix” technique that’s been targeting Windows PCs for the last year. The tactic tries to trick the user into running the same commands to install malware. In the past, hackers have used the ClickFix technique in fake pages posing as CAPTCHA tests, Chrome browser errors, or government websites. But it looks like the attackers are coming up with more innovative ways to dupe potential victims.

Recommended by Our Editors

“The more recent ClickFix campaigns like these fake Windows update pages are a powerful reminder that user vigilance and cybersecurity awareness training are just as critical as technical defenses,” Daniel B. added.

Fortunately, the attack is easy to foil and spot. That’s because no legitimate site or service will ask you to perform such commands on your computer. The attack is also essentially scareware coming through the browser that can be easily shut down by closing the browser tab or window. Google’s Chrome will also advise you to press “ESC” to return to the normal view when the browser goes into full-screen mode.

Still, cybersecurity vendors are reporting a surge in ClickFix-related attacks, which can overcome traditional antivirus software since the user is unwittingly orchestrating the malware infection. “The list of threats that ClickFix attacks lead to is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-exploitation tools, and even custom malware from nation-state-aligned threat actors,” ESET said in June.