Researchers at Push Security warn of an extremely convincing ClickFix attack posing as a Cloudflare verification check. ClickFix is a social engineering technique that tricks the victim into copying and pasting a malicious command, then running it on their computer.
In the instance observed by Push Security, the phishing page has a pop-up box that appears to be from Cloudflare, instructing the user to press the keyboard shortcuts necessary to open a terminal and run a command. The malicious command is automatically copied to the clipboard using JavaScript, so the user simply needs to open the terminal and hit control+V (or command+V on Mac).
The box even has an embedded video showing the user what to do. This video is tailored for either Windows or Mac users, depending on which system the victim is using. The box also has a countdown timer to encourage the user to act quickly.
“This is an incredibly slick example — it almost looks like Cloudflare shipped a new kind of bot check service,” the researchers write. “The embedded video, countdown timer, and counter for ‘users verified in the last hour’ all serve to increase the sense of authenticity, and put extra pressure on the victim to complete the check.”
The researchers note that since ClickFix relies primarily on social engineering, technical defenses struggle to block it.
“Although there are ways to block web pages from performing copy to clipboard via device settings or group policy, the practical reality of ClickFix means that these methods are not effective,” the researchers write. “Because ClickFix is a user gesture-initiated paste event (some form of user interaction such as a button-press is required on the page before loading the ClickFix lure) it cannot be blocked from the host.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Push Security has the story.
