ClickFix attacks have been around for decades; only the name is new. ClickFix attacks use social engineering to trick users into clicking on buttons and links that the user is told are needed so their browser or computer can perform some desired action.
ClickFix Attacks
The most common original type of ClickFix attack example, and where the name itself comes from, is where a user intentionally searches for some sort of computer error they are having, say Windows error 1F0039a (I made that up), and the browser engine returns a lot of links regarding that error.
Unbeknownst to the user, the internet search engine results have been gamed (i.e., “poisoned”) so that a simple search for a solution returns a malicious website high up in the results. Usually, the attacker has either created a fake website with the error message embedded into the website over and over (but not visible to users), or they have paid the search engine vendor to have their website returned when that particular keyword is searched on. Either way, the attacker’s website link ends up high on the list of websites with solutions.
When the user goes to the malicious website, the scammer attempts to social engineer the user into performing an action that is against the user’s best interests. In most cases, it is to click a button to fix something (hence, the “ClickFix” name). Sometimes the button click takes the user to another malicious website, sometimes it downloads a malicious document or content, and sometimes it brings up instructions that the user is supposed to copy and run on their computer.
These days, if you hear of the ClickFix attack, it is usually the type of attack where the victim gets tricked into copying/pasting attack code into their own desktop environment, unwittingly executing malware on their computer. It bypasses firewalls, antivirus scanners and content filters.
Although some of the ClickFix attacks are readily apparent, others are a little sneakier. Here are some great ClickFix examples from a cyber advisory from the U.S. Department of Health and Human Services. And Brian Krebs did a great article on this type of ClickFix example here.
ConsentFix Attacks
The latest iteration that is making the rounds is known as ConsentFix attacks. Same concept, but way more devious and harder to spot. The potential victim is somehow tricked into visiting a malicious website (or a legitimate website with malicious code on it). Almost always, the user will be presented with some sort of object they must click on to continue. Nearly all the cases I see involve the very familiar Cloudflare login “turnstile” (see below).
Or 
Who has not seen this prompt a thousand times? Cloudflare is involved in about a third of the most popular websites on the Internet. Cloudflare attempts to prevent distributed denial of service attacks, stop synthetic identities, and a myriad of other types of hacking attacks. They are a very trusted name. They had some recent issues, which took down websites and services all around the world for hours to days.
Well, on these ConsentFix-hacked websites, the logo notice is completely bogus. They want the user to click on the Cloudflare logo, and then usually present some definitely-not-Cloudflare-request, like a prompt to run some executable, copy/paste some code, copy/paste a URL, or so on. It is amazing what users will believe is Cloudflare asking them to do to prove their humanity.
But again, what they are asking the user to approve or execute these days is more advanced than the old attacks that simply copied and pasted hexadecimal-encoded commands. For example, with this attack, the commands are AES-encrypted AND hidden as data within a PNG file using steganography. Good luck having a regular user figure that one out.
Push Security published another advanced ConsentFix attack that asked for the user’s email address and then prompted them to copy/paste an extended URL after first logging into their Microsoft O365 account. Who in the world would copy and paste a long URL simply to supposedly prove they are human to Cloudflare? Well, not a lot of people, but probably enough that the hackers feel confident in giving it a go. If it did not work, they would not use it.
I liken all the fake Cloudflare turnstile messages I am seeing to the old fake antivirus screens we saw for years. They are everywhere and familiar to everyone. The scammers are hoping people think they are real. When I first came across the fake Cloudflare turnstile messages, while investigating what I knew to be real phishing links, I was not sure if the Cloudflare message was real or not. It looked real.
But it is not.
If you have not already done so, let your users know what the real Cloudflare turnstile looks like and how it behaves. At most, it might ask them to enable a checkbox. It will not ask them to copy and paste anything to prove they are human. This is a very quick piece of education you can give family members, friends and co-workers to prevent a world of hurt.
Friends do not let friends copy/paste malicious code!
