9.03.26

Click-Fix Cyber-attacks Explained

Social engineering has long been a tactic employed in different cyber-attacks against businesses, often relying on deceptive communications and programming to trick targets into divulging sensitive data, sharing corporate funds or downloading harmful software. Over the years, some social engineering methods have become increasingly sophisticated, making them more difficult to detect and spawning large-scale losses. One of the most prevalent of these methods is ClickFix cyber-attacks.

Also known as ClearFake attacks, these incidents involve cyber-criminals deploying fraudulent error messages or verification prompts through compromised browsers and phoney software updates, manipulating targets into executing malicious commands under the guise of resolving supposed device or system issues. From there, cyber-criminals can launch destructive malware, potentially stealing affected businesses’ private information and assets and causing significant financial, operational and reputational fallout. Recent years have seen ClickFix cyber-attacks continue to expand in scope and severity, infiltrating multiple popular platforms, evading traditional security mechanisms and gaining traction among advanced threat actors.

With this in mind, it’s critical for businesses to better understand this emerging attack method and effective defence strategies, thereby limiting potential losses. This article provides an overview of ClickFix cyber-attacks, outlines how they can impact businesses and highlights related mitigation tips.

Overview of ClickFix Attacks

ClickFix cyber-attacks begin with cyber-criminals leveraging stolen credentials to install fake plug-ins in compromised web platforms or other digital environments. Upon installation, these plug-ins inject deceptive programming language to create fraudulent variations of well-known browser and software notifications, using technology such as blockchain and smart contracts to acquire malicious payloads.

When ClickFix cyber-attacks are launched, targets are first presented with the phoney notifications, which may include the following common phrases:

• “Something went wrong while displaying this webpage.”
• “There was an error during the latest update of your browser/software.”
• “Your browser/device does not support the necessary files/attachments/plug-ins.”
• “Please verify that you are a human to proceed.”

These notifications then provide specific instructions for targets to follow to “fix” supposed problems with their devices or systems. Unlike standard social engineering methods, which use automated exploits or attachments that download harmful software as soon as targets open or click on them, ClickFix cyber-attacks take the deception a step further by manipulating targets into manually executing malware, prompting them to copy malicious commands (e.g. PowerShell) into their devices’ dialogue boxes or similar utilities (e.g. Windows Run). At that point, cyber-criminals can move forward with payload delivery and utilise the downloaded malware to wreak havoc on targets’ devices or systems.

Because they centre around human-driven execution, ClickFix cyber-attacks are often more difficult to identify as malicious and, as a result, frequently sidestep traditional security measures. In the years since they first gained prominence, these incidents have steadily evolved and, consequently, become more dangerous for impacted businesses. While they initially only had the capacity to spoof certain browsers and be launched via specific software, these incidents now span a range of impersonated platforms (e.g. Google Chrome, Facebook, PDFSimpli and reCAPTCHA) and include variants that can affect Windows, macOS, iOS and Android devices.

Complicating matters, sophisticated hackers have begun packaging the plug-ins needed to deploy ClickFix attacks as a product on the dark web, feeding into the Crime-as-a-Service (CaaS) model and allowing a growing number of cyber-criminals—including nation-state threat actors—to launch these incidents with little to no expertise. The proliferation of these incidents through the CaaS model has also paved the way for a new variation of the ClickFix method to appear, known as the FileFix method. Instead of having targets copy malicious commands into their dialogue boxes, FileFix cyber-attacks trick them into copying these commands into the address bar of their respective browsers. Because targets are often more familiar with address bars than dialogue boxes, this poses serious concerns about the continued growth of such attacks. Going forward, ClickFix cyber-attacks are only expected to continue advancing, making it vital for businesses to take steps to defend against them.

How ClickFix Attacks Impact Business

ClickFix attacks can affect businesses in many ways, leading to the following ramifications:

• Stolen funds and assets—Through these attacks, cyber-criminals can take over targets’ accounts and gain unauthorised access to confidential business records, private stakeholder information and intellectual property. This could enable them to steal critical funds and assets, leaving businesses with considerable financial losses. In some cases, cyber-criminals may employ ClickFix attacks to launch disruptive ransomware incidents, potentially leading to additional financial challenges.
• Damaged systems and technology—Such attacks may also allow cyber-criminals to leverage compromised devices and systems to move laterally across corporate networks, escalate their privileges and infiltrate businesses’ larger IT infrastructures, resulting in more widespread damage and operational disruptions.
• Regulatory and legal penalties—When ClickFix attacks compromise sensitive stakeholder information, businesses may be held liable for failing to protect that data, potentially resulting in regulatory action and financial penalties under the UK General Data Protection Regulations and the Data Protection Act 2018. Organisations may also face additional legal or contractual consequences, depending on the nature of the breach and their obligations to customers, partners or suppliers. The severity of these outcomes could erode customer loyalty and diminish an organisation’s profitability for the foreseeable future.

Risk Mitigation Strategies

There are various risk management measures businesses can implement to help lower the likelihood of ClickFix attacks and limit associated losses if these incidents do happen:

• Promote a culture of cyber-security. First and foremost, businesses should foster a workplace culture that prioritises cyber-security. This primarily entails providing routine awareness training to all staff – regardless of department or tenure – on cyber-hygiene best practices, the latest cyber threats, and related prevention and response tips. As it pertains to ClickFix attacks, this training should highlight common formats and phrasing for such incidents, as well as guidelines for reporting suspected social engineering plots. Employees should be instructed to never interact with or respond to potentially malicious commands.
• Establish safe browsing and script execution policies. Alongside staff training, businesses should establish workplace policies that clearly outline safe browsing behaviours (e.g. using strong passwords across all accounts, verifying website security, installing any available privacy tools and clearing browser data on a regular basis) and restrict the types of commands that can be launched from dialogue boxes and address bars. These policies can help reduce the risk of employees being targeted in ClickFix cyber-attacks and render cyber-criminals’ efforts useless by blocking the accidental execution of malware in the event that staff do fall victim to such incidents.
• Maintain updated software. Businesses should make it a priority to regularly update all workplace devices and systems to help patch known vulnerabilities and other security weaknesses, thereby blocking cyber-criminals from exploiting this technology amid ClickFix attacks. Enabling automatic software updates and using patch management tools can simplify this process.
• Utilise advanced security solutions. Although ClickFix attacks often bypass traditional security measures, equipping devices with advanced threat identification systems, antivirus programmes, firewalls, and endpoint detection and response (EDR) tools can help businesses ensure greater visibility of their entire IT infrastructures and detect any abnormal activity. Such solutions may also help stop cyber-criminals in their tracks, addressing malware before it causes more severe damage.
• Create segmented networks and access controls. To prevent lateral movement through their systems amid ClickFix attacks and expanded attack surfaces, businesses should segment their networks. This way, cyber-criminals will only be able to compromise a small portion of corporate resources, minimising the risk of large-scale damage and disruptions. In addition, businesses should enforce strict access controls and uphold the principle of least privilege, only allowing employees to handle systems and data deemed necessary for their roles.
• Vet all software and technology vendors. Because ClickFix attacks start with cyber-criminals compromising digital environments, businesses should carefully evaluate all software and technology vendors, especially niche or lesser-known providers, for possible security flaws before finalising contracts and purchases. In doing so, businesses can avoid introducing new vulnerabilities and offering further avenues for ClickFix attacks.
• Have a plan. Cyber-incident response plans can help businesses ensure that necessary procedures are taken when attacks occur, thereby minimising related losses. These plans should be well documented, practiced often and address a range of scenarios (including ClickFix attacks).

Cyber Insurance

Besides these strategies, it’s imperative for businesses to secure ample insurance to help cover losses stemming from potential ClickFix cyber-attacks. In particular, cyber insurance may help reimburse costs associated with ransomware, data breaches, business interruption and incident response stemming from malware delivered via social engineering scams, including ClickFix attacks. However, the level and scope of such coverage may vary based on policy wording. For instance, some insurers may limit or fully exclude coverage for losses resulting from cyber-attacks caused by social engineering scams that manipulated honest employees – albeit unknowingly – into openly participating in the incidents. Since ClickFix attacks involve employees manually executing malware, this may hinder coverage for such events.

What’s more, insurers willing to offer protection for these attacks are adopting increasingly strict underwriting guidelines, demanding policyholders demonstrate effective security awareness training regimens, EDR deployment, access controls and incident response readiness as a prerequisite for coverage. Considering these developments, it’s best for businesses to consult trusted insurance professionals to assess their unique ClickFix exposures, determine their specific coverage needs and, if necessary, explore additional policy endorsements and alternative risk transfer solutions to minimise any gaps in protection.

Conclusion

ClickFix cyber-attacks pose numerous risks. As these attacks grow more prevalent, it’s vital for businesses to have proper safeguards in place. By maintaining awareness of these events and taking sufficient steps to address them, businesses will be better equipped to navigate this evolving cyber-security landscape and, in turn, prevent major losses.

Contact us today for further cyber-security and insurance solutions.

Information provided by Zywave with a contribution from Lisa Langley, (Cert CII) Team Leader, Professional Risks, Cox Mahon Ltd.