(Credit: Jon Martindale/PCMag)
Don't miss out on our latest stories. Add PCMag as a preferred source on Google.
The ClickFix internet scam has been circulating for at least a year, and uses various tricks to dupe you into entering a string of text into a PC's terminal. The best way to combat this? Don't do it. No legitimate service will ever ask you to open a terminal window and input commands.
As Ars Technica reports, scammers are targeting people via WhatsApp messages, search results, or phishing emails. The goal is to get the victim to enter text into the terminal window, which gives hackers access to their system.
A report from Sekoia found that one ClickFix scheme went after the hotel industry. "The intrusion began with a malicious email sent from a compromised address to a hotel reservation or administration email," Sekoia says. "The subject line referred to a customer request, while the email body reproduced the Booking.com brand identity to convince the recipient of its authenticity. The email included a URL that ultimately led to the compromise of the victim machine through the ClickFix social engineering tactic.
"Once compromised, Booking professional accounts are typically sold and then exploited by other actors to deliver targeted banking phishing emails to hotel guests."
Modern antivirus and ransomware programs, web browser protections, and Windows Defender are all strong enough that some of the most effective hacks and malware attacks of today have to rely on the classic weakest link in the chain: The user. ClickFix attacks primarily utilize social engineering to prompt the target to run a malicious command on their own system, thereby infecting themselves and causing undue damage through data and credential theft.
"Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions," Microsoft noted in its own report this summer.
The faux Google links, meanwhile, take advantage of people searching for technical help. We often try to solve minor technical issues on our own, and think nothing of "other seemingly benign interactions, such as human verification and CAPTCHA checks," Microsoft notes.
In each case, the scam encourages users to open a terminal window of some kind—usually the Windows Run dialog box (Windows Key + R)—and then paste a string of text into it. That connects to a remote server and downloads malware, often without the user's knowledge.
If any communication, no matter how legitimate-looking looking ever asks you to open a Run dialog, or a command prompt in order to prove your identity, rest assured it's a scam.
If you want to take an extra step to protect your identity from scammers and hackers, never provide any personal information to anyone without prompting. If someone calls, emails, or messages you, asking for proof of your identity, call them back or contact them on another device via a route that you know is secure. It's a bit of a pain, but it beats falling prey to the next ClickFix scam.