Social Engineering tactics Clickfix as the initial access vector using fake CAPTCHA checks increased by 517% between the second half of 2024 and the first half of this year, according to ESET.
“The list of threats to which clickfix attacks are growing, increasing every day, including infastel, ransom, remote trojans, kryptomas, after operating tools and even custom from national institutions brought up in the country,” rust, laboratory director – Note.
Clickfix has become a widely popular and the deceptive method The error uses or check -up CAPTCHA checks to fool the victims to copy and insert a malicious scenario either in the Windows dialog or into the Apple MacOS terminal app, and run it.
The Slovak cybersecurity company said the highest detection of ClickFix is concentrated around Japan, Peru, Poland, Spain and Slovakia.
The prevalence and efficiency of this attack led to the threat of subjects advertising Eset was added by builders who provide other assaults from clicks that change in the queue, added ESET.
From Clickfix to FileFix
Development comes as a safety researcher MRD0X demonstrated An alternative to the Clickfix called FileFix, which liners users who submit a copy and insert the file way in Windows File Explorer.
The technique, essentially, involves the achievement of the same as ClickFix, but in another way, combining the ability of File Explorer to perform operating system commands through the targeted web -browser file download feature.
In the attack scenario developed by the researcher, the threat actor can develop a phishing page that instead of reflecting the counterfeit CAPTCHA to the future goal, presents a message stating that the document was divided with them and that they need to copy and insert the file on the target panel by clicking Ctrl + L.
The phishing page also includes the outstanding “Open File Explorer”, which, by clicking, opens File Explorer and copies the malicious PowerShell team to the user exchange buffer. So, when the victim cut the “file path”, a team of the attacker is instead.
This, in turn, is achieved by changing the copied file way to prepare the PowerShell command before it follows from adding spaces to hide it from viewing and a pound (“#”) to view the fake file as a comment: “PowerShell.exe -c Ping Example.com
“In addition, our PowerShell team will unite the dummy’s way after commenting to hide the command and show the file path,” MRD0X said.
Physhing Company in an area
Spla the in Clickfix companies also coincides with the opening of various phishing companies that –
- Use the .gov domain to Send Phisching -Leads This masquerade as an unpaid fee for taking users on fictitious pages designed to collect their personal and financial information
- Use durable domains (LLDS), a technique called Aging strategic domainby Either the host or use them to redirect users To order CAPTCHA Check Pages, completing what they lead to fake Microsoft command pages to steal their Microsoft account account data
- Allocate Files Harmful Windows (LNK) In the ZIP archives for launching the PowerShell code responsible for the deployment of rats Remcos
- Use baits that are supposedly warn users that their mailbox is almost full and what they need to “cleanse the storage” by pressing the button built into the message Ipfs This steals users by email. Interestingly, the emails also include the RAR archive, which, as soon as it is extracted, reset the XWORM malicious software.
- Turn on URL that allows PDF -documentWhich, in turn, contains another URL that submits the ZIP archive that includes the executable file responsible for launching the Lumma Autonic Software
- Weapon legitimate front platform called Vercel place dummy sites that distribute the malicious version of Logmein to get full control over the victim
- Expose yourself to state departments US vehicles (DMV) Submit SMS -Messages of Unefined Board Violations and redirect the recipients to deceptive places that harvest personal information and credit card data
- Use emails with SharePoint theme Redirect users to page credentials Located on domains “*.
“E -mails containing SharePoint links are less likely as malicious either EDR or antiviral software software. Users also have less suspicious, suggesting that Microsoft links are essentially safer,” CyberProuof said.
“Since the Phishing Page is located on SharePoint, they are often dynamic and available only through a certain link for a limited time, making them more complicated for automated scanners, scanners and sandboxes.”
