The prevalence of update screens on Windows machines has become a familiar sight for users. However, this routine has recently been exploited by hackers, who have devised a new scheme to deliver malware under the guise of a “critical security update.” This tactic is a recent variation of the ClickFix attack, which aims to deceive users into executing harmful commands while believing they are enhancing their device’s security.
When a Windows update pop-up is actually a ClickFix attack
ClickFix employs social engineering techniques, utilizing fake error messages, CAPTCHA forms, and command prompts to facilitate the installation of malware. As reported by PCMag, the scam manifests as a pop-up that mimics the standard Windows blue screen, but in reality, it is a full-screen browser page originating from a malicious domain.
The ClickFix component involves a series of keystrokes—distinct from the genuine update interface—that prompt users to paste and execute a harmful command. This ultimately results in malware being installed on their devices. The instructions often convey a sense of urgency, a hallmark of many scams.
Researchers from the cybersecurity firm Huntress have meticulously outlined the mechanics of this attack. They have identified an iteration where users are asked to verify their humanity instead of completing a legitimate security update. According to Bleeping Computer, the malicious code is cleverly embedded within the pixel data of PNG images, with the final payload being one of two known infostealers.
Following a recent law enforcement operation, Huntress noted that while fake Windows update pages persist across various domains, these domains no longer appear to host the malware payload. Nonetheless, the potential for this type of attack—or a variation of it—remains a concern for users.
What do you think so far?
How to stay safe from this ClickFix attack
If you are a Windows user, encountering a blue or black update or error screen is likely a common experience. You may not raise an eyebrow if your computer unexpectedly initiates an update or prompts you to take additional steps for confirmation. However, it is crucial to recognize that a legitimate update screen will display a progress indicator and advise against turning off your computer. If you are ever asked to input manual commands, consider this a significant red flag indicative of a ClickFix attack—something no trusted service would require.
Maintaining an up-to-date computer is essential. Microsoft issues security updates on the second Tuesday of each month, a day known as Patch Tuesday. Users can enable automatic updates on their machines to ensure they receive fixes promptly as they become available.
For those wishing to take extra precautions against ClickFix attacks on Windows, disabling the Windows Run box can help prevent unauthorized access to commands, enhancing your device’s security further.