New ClickFix attacks uncovered

Novel ClickFix phishing tactics have been employed in separate attack campaigns, reports The Hacker News. Threat actors injected WordPress sites' "functions.php" file with malicious code that remotely loads "porsasystem[.]com" domains, leading to ClickFix-style webpages that distribute malware, findings from a Sucuri analysis revealed. "Site visitors get injected content that was drive-by malware like fake Cloudflare verification," said Sucuri researcher Puja Srivastava. Another report from Expel researchers showed the use of cache smuggling to facilitate more covert ClickFix attacks, with targets being lured into pasting a nefarious command in Windows File Explorer to run an obfuscated JPEG image-spoofing payload already cached by the browser upon phishing page landing. "The implications of this technique are concerning, as cache smuggling may offer a way to evade protections that would otherwise catch malicious files as they are downloaded and executed," noted Expel Principal Threat Researcher Marcus Hutchins. Such findings come as the new IUAM ClickFix Generator phishing kit was reported by Palo Alto Networks Unit 42 researchers to enable the creation of browser verification page-spoofing sites, which have already been used to deploy the Odyssey Stealer and DeerStealer payloads.