A new form of malware, dubbed “ClickFix,” is tricking users into infecting their own devices using social engineering tactics. This new threat first emerged in March 2024 and has quickly grown in popularity due to its highly effective nature. Individuals, businesses, and institutions are all at risk and should consider taking extra care to learn how to identify and protect against ClickFix and other social engineering schemes.
Social Engineering: Even the Pros May Fall for It
Social engineering works because it exploits trust. By masquerading as a trusted website or reliable authentication tool, bad actors use psychological influence to convince people to perform certain actions or divulge confidential information.
In many social engineering schemes, greed is at play (think of the notorious “Nigerian Prince” scam). Other schemes use a sense of fear or urgency to induce users to act rashly to fix a mistake or to avoid “missing out” on something free or valuable. Fake IT support calls work because they make employees feel that they’ve made a mistake requiring “IT’s” help to fix. No one wants to make a critical error on the job, so they’re very quick to comply.
ClickFix: A Wolf in Sheep’s Clothing
ClickFix attacks often start with a perpetrator logging into a website with stolen credentials and then installing fake plugins. These plugins inject malicious code into the site. In the early days of ClickFix, compromised sites usually contained fake browser update malware. The threat actors have since evolved and will now mimic common authentication tools like CAPTCHA.
On the user side, the breach presents as a convincing alert. It may look like a browser update notification or a CAPTCHA interface. In the browser update scenario, on-screen steps guide the user to install malware such as remote access trojans and infostealers.
Users fall for these prompts because they present as a command to either “fix the problem” on the user’s device or as a need to “prove you are human.” These types of interactions are so common during everyday computer usage that users quickly comply with almost zero consideration that they might not be real. In October, a spate of fake Google Meet conference errors convinced users to allow infostealing malware onto their devices.
Some more recent ClickFix attacks have become even more explicit, targeting users who are looking to download games, PDF readers, messaging apps, and tools like Zoom.
ClickFix Infiltrates Car Dealership Websites
Earlier this year, over 100 car dealership websites were found to be infected with ClickFix malware.
The dealership sites shared a common third-party vendor–LES Automotive–that was initially involved in the hack. ClickFix-style malware spread from LES to the dealership sites, causing them to secretly host malicious scripts that displayed fake update messages. Unfortunately, customers looking to book service or shop for new cars were tricked into downloading malware, granting the attacker access to their devices.
In the case of the dealerships, SectopRAT malware was installed on end user machines, providing hackers with multiple options for stealth activities, such as stealing browser and crypto-wallet data.
Protecting Yourself and Your Business
Remember that even savvy users can be exploited in a sophisticated social engineering attack. Be mindful of your own actions while also working to train and protect those around you. Kids and older relatives may be too trusting of every popup that appears on their device.
Staying skeptical is the top priority. Don’t download software updates from pop-ups. Always go to an official website. Urgent security alerts that demand immediate action are very suspicious. Proceed with care. Make sure personal computers are updated regularly and have security software with phishing and malware protection.
Businesses should integrate social engineering training into a regular cybersecurity curriculum. End-users should be empowered to recognize and report suspicious pop-ups, emails, and security alerts. Ensure that all company websites are secure; prevent your sites from being hijacked and becoming a vector for malware. Use web filtering to block suspicious domains. And regularly audit third-party software and website scripts.
The following should all go without saying, but we’ll say it anyway: Encrypt sensitive data. Make regular backups. And implement network segmentation and the principle of least privilege. Make sure that if a threat does sneak through it causes as little damage as possible.
Spread the Word
ClickFix is a reminder that cyber threats don’t always exploit weaknesses in tech. They also exploit the human psyche. Everyone is at risk in a social engineering scheme. Share this article to help protect others from falling victim to this newly pervasive threat.
Need help integrating social engineering recognition into your cybersecurity training? Reach out to Asylas at 615-622-4591 or email info@asylas.com. Or complete our contact form.
