- Clickfix uses false CAPTCHA screens to encourage users to launch malware via single keyboard commands
- The phishing page perfectly imitates the cloudflare, to the ID Ray and the safety padlocks
- Click on “Make sure you are human” starts a process that silently infects your machine with malware
A sophisticated but deceptively simple phishing technique is currently circulating, using false Captcha Cloudflare pages to infect users with malicious software.
New research by SlashNEXT is claiming the technique, known as Clickfix, prey familiar Internet behavior, encouraging users to execute commands that install malware.
Clickfix works by presenting a counterfeit version of the Cloudflare turn Captcha page. Everything, from visual layout, to technical elements such as ID Ray identifier, is convincingly replicated.
Based on an prompt that users will generally not be examined
The phishing site can be hosted on an area that looks closely, or on a real website that has been compromised.
When users land on the page, they are invited to check a labeled box “check that you are human”. This step seems routine and does not raise any suspicion – but the following is the heart of the scam: users are guided through a set of instructions – by pressing Win + R, then Ctrl + V, and finally enter.
These steps seem harmless, but they execute a PowerShell command which has already been silently copied into the user’s clipboard.
Once executed, the command can recover malware such as Stealc, Lumma or even Trojan horses remotely like Netsupport Manager.
“Clickfix is a social engineering attack that encourages users to execute malicious orders on their own devices – all under the cover of a routine safety check,” said security researcher Daniel Kelley.
What makes clickfix particularly insidious is how it transforms standard safety expectations into weapons. The padlock icon, the familiar Captcha format and a legitimate appearance URL are all used for users of Vermins.
This exploits what researchers call “verification fatigue”, a user’s trend to click on safety prompts without appropriate examination.
The trick was not based on the exploitation of software vulnerabilities, but rather on the abuse of usual trust and behavior.
The phishing page is delivered as a unique HTML file, but contains integrated scripts and dark code designed to make clippick injections.
Because it uses legitimate Windows utilities and does not download executables, it can escape many traditional detection tools.
Standard defenses, such as antivirus software or protection of termination points, are generally intended to capture downloads or suspect binary. But in this case, users are led to launch the threat themselves.
This highlights the need for advanced protection of malicious software with a defense of zero hours, capable of detecting injections of clipboard and false CAPTCHA screens in real time.
