A fast-growing security threat known as ClickFix is driving a significant number of security breaches by exploiting user interaction within web browsers. Also referred to as FileFix or fake CAPTCHA attacks, this technique involves tricking users into running malicious scripts on their own devices. The core of the attack relies on social engineering, where a user is prompted to solve a problem on the page, such as completing a complex CAPTCHA or fixing a supposed webpage error, in order to proceed. This method preys on a user’s willingness to follow instructions to resolve an issue.

The Copy/Paste Deception Mechanism

The name “ClickFix” can be misleading, as the critical step involves more than just a click. Attackers design webpages with convincing lures that instruct the user to copy a block of code or a command directly from the page’s clipboard. The user is then told to paste and run this command locally, often in a command prompt, PowerShell, or terminal, under the guise of verifying their identity or resolving the fabricated technical issue. Unbeknownst to the victim, this copied code is a malicious script. Once executed with the user’s own permissions, it can lead to immediate system compromise, data exfiltration, or the deployment of further malware like ransomware.

Threat Actors and Real-World Victims

This attack vector is actively used by sophisticated threat actors in real-world campaigns. The Interlock ransomware group is known to regularly employ ClickFix TTPs (Tactics, Techniques, and Procedures) to gain initial access to corporate networks. Other prolific attackers, including state-sponsored Advanced Persistent Threats (APTs), also leverage this method for espionage and sabotage. The effectiveness of these copy/paste attacks is demonstrated by their connection to several recent, public data breaches. Organizations that have been publicly linked to ClickFix-style intrusions include Kettering Health, DaVita, the City of St. Paul, Minnesota, and the Texas Tech University Health Sciences Centers, highlighting the widespread impact of this technique.