Latest news with #ClickFix
Forbes
3 days ago
- Business
- Forbes
This Dangerous Email Tricks You Into Hacking Your Own PC
Do not be tricked into hacking your own PC. getty Take a walk through any major tourist city in the world, and eventually you will see them. On a bridge or promenade or in a park. Someone sitting with three plastic cups and a bunch of onlookers, watching as someone is scammed. Everyone knows it's a scam. It doesn't matter that you've watched as the marble is placed under a cup, keeping an eagle eye on it as the three cups are swapped around. The marble has moved and you cannot win. You know you should know better. So it is with the so-called ClickFix lures currently hacking PCs around the world. The leading example of the new wave of 'scam yourself' attacks, you know you should know better. But the cleverness of the hook, the trickery of the scammer still works. As McAfee explains, ClickFix attacks 'begin with users being lured to visit seemingly legitimate but compromised websites. Upon visiting, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal.' In reality, this 'sophisticated form of social engineering, leveraging the appearance of authenticity' just 'manipulates users into executing malicious scripts.' The email lure. Cofense A new warning from Cofense has just outed one of the most devious lures I've seen recently. It's a nasty attack that plays on the human emotions and fears of the victim being scammed, so much so that they don't see the attack coming. But they should. The dangerous email lure is sent to businesses in the travel industry, purporting to be from market giant warning that a customer has made a serious complaint and giving the recipient a time-boxed opportunity to respond using the link provided. This click launches ClickFix Cofense 'While the exact email structure varies from sample to sample,' Cofense says, 'these campaigns generally provide emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers.' The campaign 'preys on the recipient's fear of leaving a guest dissatisfied' and might 'claim that a guest was trying to contact the hotel but was unable to get a response.' Cofense provides one such example, which is 'particularly notable for mentioning potential reputational damage and giving a strict 24-hour deadline for compliance.' ClickFix attack. Cofense Not all these attacks are negative, some suggest requests or questions from future (imaginary) guests, while also providing a link for the hotel operator to respond. 'The emails used in these campaigns will sometimes state that the embedded link only works on Windows computers,' simply because this malware only infects Windows PCs. But despite the lure, the attack is the same as all the others. In this case it's a CAPTCHA 'Robot or Human?" challenge, which instructs the user to open a Windows prompt and paste in the text on the PC's clipboard, and then press Enter. Absent a few wording changes, there is no variation in this part of the attack. It's the most blatant tell. Cofense says some of the latest attacks used Cloudflare CAPTCHAs while others used brand instead. The instructions, though, are all the same. Once you know about ClickFix, in theory at least you can't be fooled. But the cybercriminals will try nonetheless, and the attacks are flying, so it's working. Don't be fooled. Never paste in copied text and hit Enter in this way. Whether it's a CAPTCHA, a secure website or document restriction, or a technical fault, it's always an attack. And the hacker is always you.
Yahoo
4 days ago
- General
- Yahoo
Devious new ClickFix malware variant targets macOS, Android, and iOS using browser-based redirections
When you buy through links on our articles, Future and its syndication partners may earn a commission. Security researchers found ClickFix attacks evolving to target other operating systems On Android and iOS, the attack is particularly worrisome, as it transforms into a drive-by attack The malware is already being flagged by antivirus programs ClickFix, an infamous hacking technique that tricks people into running malware thinking they're fixing a problem on their computer, has evolved, experts have warned. New research from c/side has revealed what used to be a Windows-only attack method is now capable of targeting macOS, iOS and Android devices, as well. In a blog post analyzing the evolution, the researchers said the new attack starts with a compromised website. The threat actors would inject JavaScript code which redirected users to a new browser tab when they clicked on certain elements on the page. The new tab then displays a page that looks like a legitimate URL shortener, with a message to copy and paste a link into the browser - and doing so triggers yet another redirect, this time to a download page. Here is where the technique diverges, depending on the operating system of the victim. On macOS, the attack leads to a terminal command that fetches and executes a malicious shell script, already flagged by multiple antivirus programs. On Android and iOS, things are even worse, since the attack no longer requires any user interaction. 'When we tested this on Android and iOS, we expected a ClickFix variant. But instead, we encountered a drive-by attack,' the researchers explained. 'A drive-by attack is a type of cyberattack where malicious code is executed or downloaded onto a device simply by visiting a compromised or malicious webpage. No clicks, installs, or interaction required.' In this case, the site downloads a .TAR archive file, holding malware. This one, too, was flagged by at least five antivirus programs already. 'This is a fascinating and evolving attack that demonstrates how attackers are expanding their reach,' c/side explained. 'What started as a Windows-specific ClickFix campaign is now targeting macOS, Android, and iOS, significantly expanding the scale of the operation.' New ClickFix campaign spotted hitting both Windows and Linux machines Take a look at our guide to the best authenticator app We've rounded up the best password managers
Forbes
4 days ago
- General
- Forbes
Do Not Click On Any Of These Websites On Your PC
Do not click — ever. getty 'If it looks like a duck,' starts the so-called Duck Test, then it's probably a duck. And sometimes, cybersecurity threats are just as simple to detect. So it is with the ClickFix attacks now running riot across PCs worldwide. Forget the lure. If a popup window or website asks you to copy and paste text into a prompt, then don't. It's an attack. The latest warning comes from the investigators at DomainTools, with 'threat actors exploiting human trust' through 'Prove You Are Human' malware. This is ClickFix meets CAPTCHA, the fiddly little tests that ask you to pick out bikes or rearrange the pieces of a jigsaw puzzle. The copy and paste is presented as the human test. DomainTools warns it has unearthed a 'malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines.' Those scripts 'download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport remote access trojan (RAT)." With ClickFix, the dangerous script isn't copied and pasted by the victim, it's hosted elsewhere and retrieved by more innocuous text that is copied and pasted. This second stage, 'also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host.' DomainTools being DomainTools, the team investigated and uncovered a broader malware ecosystem underpinning these attacks, with a raft of malicious domains registered for that purpose. This includes 'Docusign spoofed websites," crafted to trick users into thinking a form or install page is legitimate. New ClickFix ecosystem DomainTools One such example, was encoded with a cipher 'to avoid signature detections and obfuscation.' In this case, that's ROT13, 'in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.' The page presented back to the victim 'is designed to look like a Cloudflare 'Checking your browser' / CAPTCHA page, mixed with Docusign branding.' This leads to so-called Clipboard Poisoning, which secretly copies text to the clipboard without the user realizing. 'The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window Run prompt, copy in the malicious script, and run it.' Fortunately, all these ClickFix attacks do require you to open a prompt, paste in text and then hit Enter. The obfuscation might disguise the lead-up to the attack, but if you know never to paste and execute and such command regardless of the lure, you will be protected from these attacks. DomainTools says this latest attack 'capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.' But if you can't be tricked into the final act, you're fine. In its latest report, Gen (the company behind Norton and Avast) warns 'the most dangerous attacks aren't always the ones that sneak in unnoticed — they are often the ones that make you open the door yourself. Scam-Yourself Attacks rely on well-crafted social engineering tactics, designed to trick users into infecting their own devices.' But again, while 'ClickFix and FakeCaptcha continue to evolve,' including 'interactive image-based CAPTCHAs mimicking the classical 'select all the traffic lights' puzzle.,' the net result is the same. 'After selecting the image, the user is once again redirected to the common set of malicious steps which result in infecting the user's device.' Here are a list of other websites to look out for: 0xpaste[.] aitradingview[.]app aitradingview[.]dev batalia-dansului[.]xyz battalia-dansului[.] betamodetradingview[.]dev betatradingview[.]app betatradingview[.]dev charts-beta[.] codepaste[.]io dans-lupta[.]xyz dev-beta[.]com devbetabeta[.] devchart[.]ai developer-ai[.]dev developerbeta[.]dev developer-beta[.] developer-mode[.]dev developer-package[.]dev developer-update[.]dev devmodebeta[.] devmode-beta[.]dev devtradingview[.]ai devtradingview[.]net dev-update[.] docusign[.]sa[.]com docusign[.]za[.]com docusimg[.]sa[.]com docusingl[.] docusingle[.]sa[.]com gitcodes[.]app gitcodes[.]io gitcodes[.] gitcodes[.]org gitpaste[.]com givcodes[.]com hubofnotion[.] jeffsorsonblog[.]dev loyalcompany[.]net mhousecreative[.]com modedev[.] modedeveloper[.]ai modedeveloper[.]com modedevs[.]ai nsocks[.] pasteco[.]com pastefy[.]com pastefy[.] pastefy[.]pro tradingviewai[.]dev tradingview-ai[.]dev tradingviewbeta[.] tradingview-beta[.]dev tradingviewdev[.]com tradingviewindicator[.]dev tradingviewtool[.] tradingviewtoolz[.]com tradingviewtradingview[.]dev updatebeta[.]app
Tom's Guide
5 days ago
- Tom's Guide
Hackers are using fake Booking.com sites to infect summer travelers with dangerous malware — how to stay safe
Summer is here and if you haven't booked your holiday travel plans yet, you're going to want to be extra careful when doing so. The reason being, hackers are now using popular booking sites to infect unsuspecting travelers with dangerous password-stealing malware. According to the cybersecurity firm Malwarebytes, a new campaign has been spotted online that uses malicious links on social media and gaming sites to trick people into visiting fake sites impersonating the popular online booking service Given that almost half (40%) of people book their travel through general web searches, there are plenty of opportunities for hackers to lead them astray in an attempt to steal their hard-earned cash and sensitive data. Here's everything you need to know about this new campaign along with some tips and tricks to help you stay safe from hackers while booking your summer getaway. In a new blog post, Malwarebytes' researchers explain that this new campaign was first spotted online at the end of last month. When a user clicks on one of the malicious links impersonating they're taken to a verification page where fake CAPTCHAs are then used to trick them into copying code over to their clipboard. This occurs when they click on the checkbox next to the text 'I'm not a robot' on one of these fake CAPTCHA that CAPTCHAs are used so frequently online these days, most people wouldn't think twice before clicking one. However, these fake verification prompts are similar to those we've seen in recent ClickFix attacks. For those unfamiliar, these types of attacks are designed to trick you into infecting your own computer with malware but fortunately, they're easy to spot. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Instead of solving a puzzle or identifying a certain object in a set of pictures, a new verification prompt appears that asks you to do something you never should: run a command prompt and then execute the code that was copied over to your clipboard. This is a major red flag and an easy indication that you're not actually on official website. Still though, unsuspecting travelers trying to lock in a great deal quickly could potentially fall for this tactic. If they do, their computer will be infected with the AsyncRAT the instant they run the code that was previously copied to their clipboard. Given that we're dealing with a Remote Access Trojan here, this malware is able to spy on your computer, steal all sorts of sensitive personal and financial information, record your keystrokes, upload and download files, access your webcam and more. Given that hackers and other cybercriminals can easily put links to fake sites on social media and even in search engines through malicious ads, you need to be extremely careful when booking a vacation or anything else online for that matter these days. Instead of typing the address for a site like into your browser and heading to the first link, you want to scroll all the way down past the ads to the company's actual site. Better yet, if you know a company's web address, just type that into your browser's address bar instead. If you are prompted to verify your identity when visiting a travel site, pay close attention to the form of verification used. Typing out the numbers and letters in a scrambled image or identifying which images in a set are actual cars are both legitimate verification methods. Pressing Win + R to open a command prompt and run code that was copied to your clipboard without your knowledge definitely isn't though. To stay safe from any malware that might slip through the cracks, you want to make sure that your PC is protected with the best antivirus software or your Apple computer has the best Mac antivirus software installed. For additional protection though, you might also want to consider signing up for one of the best identity theft protection services as they can help you recover your identity or any funds lost to fraud from scams. Summer is a great time to get out and go somewhere new but if you rush to get that last-minute booking in, you could be putting yourself and your data at risk. That's why you always want to take some extra precautions when making travel plans and if a deal or a website seems too good to be true, it probably is.
Forbes
27-05-2025
- Forbes
Do Not Join Any Meeting On Your PC If You See This Message
Do not fall for this attack getty There are many complex AI-fueled cyber attacks now targeting PC users — this is not one of them. But if you fall victim, it will still steal your credentials or hijack your device. Fortunately, staying safe is easy if you know what to look for. Unfortunately, many users still do not, and these attacks are spreading like wildfire. We're talking ClickFix, a popup message that tricks users to copying and pasting text which then runs a malicious PowerShell command. This will download and install malware onto your PC, while you still struggle in vain to access the meeting. The meeting invite is fake, the URL is fake, it's all an attack. This latest ClickFix warning comes courtesy of Sucuri, which says it 'discovered an HTML file meticulously crafted to resemble the Google Meet interface. This fake Google Meet page doesn't present a login form to steal credentials directly. Instead, it employs a social engineering tactic, presenting a fake 'Microphone Permission Denied' error and urging the user to copy and paste a specific PowerShell command as a 'fix'.' ClickFix is pure social engineering. Usually manifesting as scamware, tricking users into thinking their PC has failed and they need to install a fix, we are now seeing variations on the theme. While this Google Meet attack is fairly typical, we have also seen ruses to open protected files or access restricted websites. These malicious meeting invites use clever URLs which often include 'google' and 'join' in the text string. According to Securi, this latest attack even displays a 'Verification complete!' message to the user. This is a social engineering tactic to reassure the victim that their action (which led to the execution of this script) was successful and legitimate, while the malicious operations continue in the background.' ClickFix at work Securi Per Kaspersky, 'The tactic was first seen in the spring of 2024. Since then, attackers have come up with a number of scenarios for its use. The scheme may differ slightly from case to case, but attackers typically give the victim the following instructions: While the attack is just a ClickFix, Securi says 'what makes this fake Google Meet file more dangerous than many we've seen is its self-contained nature: All styles, logos, and layouts are embedded; no external JavaScript files are called; no Google resources or analytics scripts are loaded. The attacker knew what they were doing, they created a file that looks completely harmless in source code, unless you look very closely.' But you don't need to. Regardless of the website or app you're on, if you see a popup or CAPTCHA with that unmistakable instruction to open a Run window and then copy and paste in copied text it's an attack. Every single time. Exit the app or website. Do not click anything. And delete whatever email, message or invite took you there in the first place. As Securi says, this fake Google Meet 'represents a significant threat vector where a seemingly simple action – copying and pasting a command can lead to a complete compromise of your computer. The attackers are betting on the users trust and their desire to quickly resolve a perceived technical issue.'
