- CLICKFIX use fake captcha screens to deceive users in the launch of malware through simple keyboard commands
- The Phishing page mimics Cloudflare perfectly, even safety and lock identifiers
- Clicking on “Verify that they are human”, starts a process that silently infects your machine with malware
A sophisticated Phishing Phishing technique is currently circulating, using fake cloudflare captcha pages to infect users with malware.
New Slashnext research states that the technique, known as Clickfix, is prepared in the family behavior of the Internet, cheating users to execute commands that install malicious software.
Clickfix works by presenting a falsified version of the Cloudflare Turnsile Captcha. Everything, from visual design to technical elements such as Ray ID identifier, is replicated convincingly.
It depends on a warning that users will normally be analyzed
The Phishing site can stay in a domain that looks a lot like a legitimate one, or on a real website that has been committed.
When users land on the page, they are asked to mark a box labeled “verify that you are human.” This step seems routine and does not propose suspicion, but what follows is the core of the scam: users are guided through a set of instructions, pressing Win+R, then Ctrl+V, and finally enter.
These steps seem harmless, but execute a Powershell command that has already been copied in silence on the user’s clipboard.
Once executed, the command can recover malware such as Stealc, Lumma or even remote access Trojans such as Netsupport Manager.
“Clickfix is a social engineering attack that deceives users to run malicious commands on their own devices, all under the appearance of a routine security control,” said security researcher Daniel Kelley.
What makes clickfix especially insidious is how it converts standard weapons security expectations. The lock icon, the family captcha format and a legitimate -looking URL serve to comply with compliance.
This exploits what the researchers call “verification fatigue”, the tendency of a user to click on the security indications without adequate scrutiny.
The trick does not depend on exploiting software vulnerabilities, but rather abusing the usual confidence and behavior.
Phishing’s page is delivered as a single HTML file, but contains integrated scripts and offered code designed to perform clipboard injections.
Because it takes advantage of Windows legitimate profits and does not download executables, it can evade many traditional detection tools.
Standard defenses, such as antivirus software or the protection of the end point, are usually oriented to capture suspicious discharges or binary. But in this case, users are deceived to launch the threat themselves.
This highlights the need for advanced malware protection with defense of zero hours, capable of detecting injections of clipboard and false captcha screens in real time.
