Cybercriminals are getting increasingly clever in how they integrate themselves into the software we use daily. Recently, there have been sophisticated phishing attempts that imitate banking websites, display fake alerts claiming your device is infected, and even present deceptive “human verification” prompts urging users to execute potential malware commands. A new development stemming from the ClickFix campaign is particularly concerning.
Rather than merely asking users to verify their humanity, these attackers now pose as Windows updates. Their schemes can be so convincing that you might follow their instructions without a second thought—just what they aim for.
Understanding the Fake Updates
Researchers have observed ClickFix evolving from its previous human verification tactics. Now, it shows a full-screen Windows update interface that closely resembles the genuine article. For example, Joe Security demonstrated how these pages might feature counterfeit progress bars and misleading security update prompts.
If you’re on Windows, you might encounter a prompt asking you to open a dialog box and paste content from your clipboard. That content is actually a command that covertly downloads malware. Typically, this results in an info-stealer that can capture passwords, cookies, and various other data from your system.
The whole infection process kicks off when you execute the command. It starts with a file named mshta.exe contacting a remote server to fetch a script. To evade detection, these URLs often employ hex encoding and rotate frequently. The script executes obfuscated PowerShell code that frustrates security researchers. Upon completion, it decrypts a hidden .NET assembly, which acts as a loader.
Why is This So Hard to Identify?
The loader conceals the next phase within what appears to be a regular PNG file. Using a custom technique called steganography, it embeds secret data within what looks like regular content. Specifically, the attacker makes subtle modifications to the red channel’s color values in certain pixels, leaving the image seemingly untouched.
This script knows where to extract and decrypt the concealed data, reconstructing the malware directly in memory—without leaving any discernible traces on the disk. Traditional security tools that depend on file scanning won’t catch this since the malicious code isn’t saved as an individual file.
Once the shellcode is reconstructed, it gets injected into legitimate Windows processes such as explorer.exe. This approach employs well-known in-memory techniques. Recent activity from ClickFix has introduced new variations of information-stealing tools, designed to quietly gather user credentials and effortlessly relay them to the attacker.
Protecting Yourself from ClickFix Campaigns
Staying safe means being proactive and following some fundamental steps. Here’s a brief rundown:
1) Avoid Running Unrequested Commands
If a website instructs you to execute PowerShell or input a command into Terminal, take it as a major red flag. Genuine system updates never require users to run commands from random pages. Proceeding with such instructions could give attackers complete access. If something feels off, close the page immediately.
2) Stick to Official Update Channels
Updates should only be processed through the Windows Settings app. If you see anything suggesting updates outside of that, it’s likely a scam. Always verify any requests against the official Windows Update page.
3) Invest in Reputable Antivirus Software
Choose security software that identifies both file-based and in-memory threats. Stealthy attacks like ClickFix don’t always leave traces that conventional scanners can find. Solutions featuring behavior detection and sandboxing offer better chances of catching unusual activity early.
4) Use a Password Manager
A password manager can create unique, strong passwords for each account and autofill them on legitimate sites, which aids in identifying phishing attempts. If your password manager warns that a site isn’t safe, review the URL before entering any information.
5) Consider a Data Deletion Service
Many attacks leverage already available personal information online. Using data deletion services can help minimize your digital footprint by removing your details from data broker websites. While not foolproof, reducing accessibility limits potential attackers’ opportunities.
6) Verify URLs Before Trusting Them
A polished webpage doesn’t guarantee legitimacy. Always inspect the domain name carefully. If it diverges from the official site or contains odd spellings, back away. Scammers often exploit people’s inability to check the address bar while focusing on design.
7) Exit Suspicious Full-Screen Pages Quickly
Many fake update pages attempt to go full-screen to mask the browser interface. If you encounter this unexpectedly, hit Esc or Alt+Tab to exit. Once out, perform a system scan and avoid returning to that site.
Summary
ClickFix thrives on user engagement. The attack won’t proceed unless you follow the displayed instructions. As such, fake Windows update pages are notably hazardous, relying on something the majority of users trust. If you’re used to screens freezing during genuine updates, you might not question these prompts. Cybercriminals are aware of this and build interfaces that mimic the ones users recognize, counting on you to perform the final action. The technical prowess behind these attacks is intricate, but it fundamentally hinges on one simple aspect—you unwittingly aiding them.
Have you ever copied a command from a website without carefully considering the implications? Let us know your experiences.
