ClickFix Browser Attacks: How Fake Captchas Steal Your Data

The ClickFix Browser Threat

• 💡 The "ClickFix" threat, also known as "CAPTCHAgeddon," is a browser-based attack that tricks users into executing malicious code.
• 🎯 Attackers leverage fake CAPTCHA challenges, which users are accustomed to solving, to lure victims into pasting and running PowerShell or shell commands.
• 🔑 This method bypasses the need for direct downloads, making it a stealthy and effective way to compromise systems.

Evolution of Attack Vectors

• 🚀 Initially, this attack propagated through malvertising on websites, particularly in the gray area of streaming and download sites.
• 📈 Attackers evolved to compromise legitimate, high-traffic websites, including many WordPress sites, to inject their malicious scripts.
• 🌐 This shift allows attackers to leverage the trust users place in well-known websites, even branding fake CAPTCHAs with the compromised site's logo.

Social Engineering and Deception

• 🧠 The attack exploits the user's conditioned reflex to solve CAPTCHAs, lowering their defenses and making them more susceptible to the social engineering tactic.
• 🎭 Attackers can even brand fake CAPTCHAs with the logo of the compromised website, making them appear entirely legitimate.
• 🎣 More targeted campaigns have been observed, such as those aimed at Booking.com users (hotel owners), using fake CAPTCHAs in phishing attempts to steal credentials.

Evasion and Persistence Tactics

• 🛠️ Attackers obfuscate PowerShell code by altering casing and generating new malicious code on the fly for each interaction.
• ⚠️ They employ redirection techniques to avoid presenting the malicious code directly on a single page, making detection harder.
• 🏃 This creates a continuous cat-and-mouse race between attackers and security researchers, with the threat persisting for nearly two years.

Recommendations for Protection

• 🛡️ Awareness is the primary defense; understanding that fake CAPTCHAs might involve running code is crucial.
• 💻 For organizations, disabling PowerShell on user machines can be an effective mitigation, as many users do not require it.
• 🔒 Implementing advanced security layers beyond default browser or system protections is essential to catch these types of attacks before they succeed.