Don’t miss our latest stories. Add PC Mag As a preferred source on Google.
A new attack is impersonating Windows Update to try to get users to execute malicious commands, potentially installing malware.
Daniel B., a cybersecurity researcher at Britain’s National Health Service, came across the attack while investigating online malicious threats. It has been running in the GroupsWide Security (.) COM domain since last month. Visiting the site apparently triggers a PC or even a smartphone to display a full-blown blue screen dressed up as Windows Update, prompting the user to complete three more manual steps from their keyboard.
In fact, the blue screen is a hacker’s trap. The fake Windows Update is simply being displayed from an Internet domain, and is abusing the full-screen Application Programming Interface (API) in browsers to take over the entire screen space.
The fake update screen then prompts the user to press the R key as well as the Windows key. Every now and then it will copy malicious instructions to the user’s clipboard.
The fake update screen then instructs the user to press “Ctrl + V” – the paste function – and then press ENTER. If a victim falls for this trick, they will unwittingly run the command, causing their Windows PC to execute computer code from the hacker’s malicious domain.
Other variations of ClickFix (Credit: Knowbe4)
The threat builds on the “click-fix” technique that has been targeting Windows PCs for the past year. The tactic tricks the user into trying to run a single command to install the malware. In the past, hackers have used clickfix techniques to fake pages that pose as captcha tests, Chrome browser errors, or official websites. But it seems that attackers are coming up with more innovative ways to trick potential victims.
Recommended by our editors
“Recent click-fix campaigns like these fake Windows Update pages are a powerful reminder that user monitoring and cybersecurity awareness training are just as important as technical defenses,” added Daniel B.
Fortunately, the attack is easy to foil and place. This is because no legitimate site or service will ask you to perform such commands on your computer. This attack is also basically a browser-borne scarware that can be easily stopped by closing the browser tab or window. When the browser goes into full-screen mode, Google’s Chrome will also prompt you to press “ESC” to return to normal view.
Still, cybersecurity vendors are reporting an increase in click-fix-related attacks, which can overwhelm traditional antivirus software because users are unwittingly orchestrating malware infections. “The list of threats that lead to clickfix attacks is growing by the day, including infostealers, ransomware, remote access trojans, cryptominers, post-nation tools, and even custom malware from nation-state-linked threat actors,” ESET said in June.
Get our best stories!
Stay safe with the latest security news and updates
By clicking Sign Up, you confirm that you are 16+ years of age and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your membership has been confirmed. Watch your inbox!
About our expert
Michael Kahn
Senior reporter
Experience
I have been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite Internet services, cybersecurity, PC hardware and more. I am currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s StarLink satellite Internet service, writing 600+ stories on availability and feature launches, but also regulatory battles over expanding satellite constellations, battles with rival providers like AST SpaceMobile and Amazon, and efforts to expand satellite-based mobile service. I’ve combed through FCC filings for the latest news and reached out to remote corners of California to test StarLink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay $16.5 million for secretly harvesting and selling its personal information to third-party clients, as revealed in my joint Investigation Along with the motherboard
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. Now I’m following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump into the comments with feedback and send me pointers.
Read full bio
