Sixfold surge of ClickFix attacks threatens corporate defenses

July 9, 2025

The ClickFix attack tactic represents something of an anomaly among social engineering methods. To some extent or another, all social engineering tactics depend on user ignorance, but perhaps none moreso than ClickFix, which requires the target to think that copying and pasting code from a website and running it in their local terminal is a legitimate CAPTCHA challenge. The only thing perhaps more shameful than the absolute brazenness of ClickFix is the fact that it is so effective. Since its inception in 2024, use of the ClickFix tactic has skyrocketed by more than 500%. It is now the second-most common attack vector after phishing.

Why exactly is it that ClickFix is so effective? There are two broad ways that ClickFix is deployed, and both have their own reason. The first is similar to older tech-support scams, but requires less hands-on-keyboard intervention. By using a fake error message, a set of commands to be copied and pasted into the command line can be presented as a solution. The average computer user is not capable of recognizing a fake vs. real error, not able to troubleshoot their system, not able to recognize malicious commands, and when confronted with the possibility of a nonfunctional computer tends to be so desperate that they are willing to try anything. This puts them in an ideal position to be victimized by ClickFix.

The other scenario in which ClickFix is employed is the CAPTCHA tactic. This capitalizes on user ignorance as to the purpose of CAPTCHA tasks. On a regular basis, users are tasked to perform seemingly nonsensical tasks, such as the deciphering of words or the recognition of images. If a user does not know the purpose of these tasks, which is to improve machine vision through human confirmation, they may not be surprised when a CAPTCHA asks them to copy and paste code into their machine. In their view, it may just be another random task. Therefore, in both the case of the error prompt and the CAPTCHA prompt, the main difficulty is ignorance, and therefore the main solution must be education. In the long run, similar to how Microsoft has disabled macros by default in their documents, a structural solution may have to be sought. In the meantime, users will need to be made aware on a large scale of the existence of the ClickFix tactic, its dangers, how to detect it, and how to avoid it.

More from Blackwired

July 2, 2025

SquareX: Browser AI Agents Are The Weakest Link

Browser AI agents pose major security risks, often falling for phishing and OAuth attacks due to lack of built-in safeguards.

Read more
June 25, 2025

US Homeland Security warns of escalating Iranian cyberattack risks

US-Iran conflict escalates; DHS warns of rising cyber, terror threats from Iran, allies, and hacktivists targeting US infrastructure.

Read more
June 18, 2025

CISA Issues Comprehensive Guide to Safeguard Network Edge Devices

New global guidance urges stronger edge device security to counter rising zero-day threats—focus on logging, MFA, and hardening.

Read more

© 2024 Blackwired. All Rights Reserved.