Listen to the episode
TLDR
The ClickFix campaign exploits compromised web portals to display a fake anti bot verification screen (or a fake browser error) before the expected page. The user is prompted to open a PowerShell window (Win+X, then I), paste with CTRL+V...
How it works
The ClickFix campaign exploits compromised web portals to display a fake anti bot verification screen (or a fake browser error) before the expected page. The user is prompted to open a PowerShell window (Win+X, then I), paste with CTRL+V...
Red flags
- Urgent pressure to click, pay, or share codes immediately.
- A link or sender that does not match the official organization.
- Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What to do
- 1The ClickFix campaign exploits compromised web portals to display a fake anti bot verification screen (or a fake browser error) before the expected page.
- 2Red flag Fake CAPTCHA verification or browser error asking to open PowerShell/Terminal Step by step instructions to type key combinations (Win+X, CTRL+V, Enter) Legitimate but compromised sites: the anomalous page appears before the expected content What to do Never execute commands suggested by web pages, even if they appear to be security checks Be wary of portals that require opening system shells or pasting content Update OS and browser, use an antivirus with web protection and report the incident to segnalazioni.acn.gov.it
Source
csirt-italia
Source reviewed by Mythos Forensic Team
https://www.acn.gov.it/portale/w/clickfix-campagna-distribuisce-codice-malevoloFAQ
Is ClickFix: fake anti bot screens trick users into executing malicious code via PowerShell a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.
What should I do first?
The ClickFix campaign exploits compromised web portals to display a fake anti bot verification screen (or a fake browser error) before the expected page.; Red flag Fake CAPTCHA verification or browser error asking to open PowerShell/Terminal Step by step instructions to type key combinations (Win+X, CTRL+V, Enter) Legitimate but compromised sites: the anomalous page appears before the expected content What to do Never execute commands suggested by web pages, even if they appear to be security checks Be wary of portals that require opening system shells or pasting content Update OS and browser, use an antivirus with web protection and report the incident to segnalazioni.acn.gov.it
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.