This article analyzes the Clickfix phishing incidents, highlighting the evolution of CAPTCHA bypass techniques and the exploitation of user trust in verification mechanisms. It details how attackers use social engineering to manipulate users into executing malicious commands, leading to data theft. Affected: Windows system users, WordPress websites, online security sector
Keypoints :
- Clickfix is a phishing technique that exploits user fatigue with verification processes.
- Attackers create fake interactive pages mimicking legitimate services like Google Meet.
- Malicious JavaScript code is injected into compromised WordPress sites.
- Users are tricked into executing commands that download and execute malicious payloads.
- The attack chain involves multiple stages, including initial access and data theft.
- Decentralized blockchain technology is used to evade traditional security measures.
- Over 700 websites were compromised with phishing code by January 2025.
MITRE Techniques :
- Social Engineering (T1203): Attackers use fake CAPTCHA prompts to manipulate users into executing malicious commands.
- Command and Control (T1071): Malicious payloads communicate with remote servers to download additional scripts.
- Exploitation of Vulnerability (T1203): Attackers exploit vulnerabilities in WordPress sites to gain control and inject malicious code.
- Credential Dumping (T1003): The final payload collects sensitive information such as cookies and user credentials.
Indicator of Compromise :
- [domain] solve[.]vwglq[.]com
- [domain] solve[.]jenj[.]org
- [domain] solve[.]gevaq[.]com
- [domain] solve[.]fizq[.]net
- [url] deduhko2[.]kliphuwatey[.]shop
- Check the article for all found IoCs.
Full Story: https://www.aqniu.com/vendor/108017.html