"ClickFix attacks prompt the user to solve some kind of problem or challenge in the browser - most commonly a CAPTCHA, but also things like fixing an error on a webpage. The name is a little misleading, though - the key factor in the attack is that they trick users into running malicious commands on their device by copying malicious code from the page clipboard and running it locally."
"ClickFix is known to be regularly used by the Interlock ransomware group and other prolific threat actors, including state-sponsored APTs. A number of recent public data breaches have been linked to ClickFix-style TTPs, such as Kettering Health, DaVita, City of St. Paul, Minnesota, and the Texas Tech University Health Sciences Centers (with many more breaches likely to involve ClickFix where the attack vector wasn't known or disclosed)."
"For the past decade or more, user awareness has focused on stopping users from clicking links in suspicious emails, downloading risky files, and entering their username and password into random websites. It hasn't focused on opening up a program and running a command. Suspicion is further reduced when you consider that the malicious clipboard copy action is performed behind the scenes via JavaScript 99% of the time. And with modern ClickFix sites and lures becoming increasingly legitimate-looking (see the example below), it's not surprising that users are falling victim."
ClickFix attacks use malicious browser scripts to prompt users to perform tasks like solving CAPTCHAs or fixing page errors while secretly copying malicious code to the clipboard. The copied code is then executed locally when users paste it into a program, enabling attackers to run arbitrary commands on victims' devices. Interlock ransomware and other threat actors, including state-sponsored APTs, regularly use this technique, and several public breaches have been linked to it. The attacks evade traditional user training because they do not rely on email, are often performed via JavaScript, and use increasingly legitimate-looking lures delivered through SEO poisoning and malvertising.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]