ClickFix attacks are a new phishing attack that actually uses your trusting nature against you to actually help the scammers do their dirty work.
Know those little boxes that pop up on websites that make us prove we are a human and not a robot? These are called Captcha boxes. And they are called that for a reason. It is actually an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”.
How the scam works is you get a link in an email with a link. You open the link and you get a page that displays a Captcha test similar to the above. However, this one comes with some special instructions…
Here, you don’t just have to check a box, or select a bunch of the pictures that have a motorcycle in it, you are asked to do some stuff on your keyboard.
In this example they trying to get you to open a prompt on your computer that takes instructions, called the Run Command. You press CTRL+V and this pastes a command that has been put into your clipboard. Pressing Enter, actually runs the command on your computer.
So, you basically just ran a command on your computer for the scammers. What that command does is utilize a part of your system to start downloading malware from a website.
Same Thing, Different Presentation
There are multiple variations of this scam but they all pretty much act the same way. They might just start off a bit differently. Here are are samples to keep any eye out for;
You see there are multiple ways to pull of this scam. Always remember the 4 P’s when opening strange links and whenever you encounter something different.
“the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” – Oxford Dictionary
Phishing scams are normally done through emails. If it is via Text Message, they have a name for that, called Smishing short for SMSPhishing. And if it is via Telephone, they call that Vishing, for voice phishing.
Phishing Scams
These are the emails that are trying to trick you into giving up your personal information, like login credentials, credit card number or bank account information. They usually come in the form of a message from a trusted service, like your bank, or other service you might use, or possibly warning you of a problem with your computer. Either way, they are all tricks. Lets get into them.
Let’s say you get an email that has the following message with in it
First reaction, you would panic, right?! You need access to your money – and this was probably sent Saturday afternoon, right after the banks closed for the weekend – what are you going to do?
1. Stop, Pause and Think
Well, before we click on that button, lets remember the 4P’s of Fraud and take a pause.
They are Pretending to be from TD Bank, they introduce a Problem with your account, they Pressure you to act immediately and validate your account, and you will Pay if you click that link.
The 4 P’s will help you before you click on any links or buttons in the email. Stop and think of the 4 P’s for every email you get, especially if you want to react immediately.
2. What Other Clues Do We Have?
Once you have paused for a minute start taking a look around
Who Sent It?
Take a look at the four samples below…The From Field can show just the sender’s name or the email address, or both. You need to pay attention here.
a)
b)
c)
d)
Look at the first line in each example, these are all examples of how the email can be shown in your email viewer. Looking at a), it just shows TD Canada Trust, with no actual email address, if you happened to mouse over that field, it will show you the email address it really sent with.
Looking at b), here we see TD Canada Trust, with an email address in brackets, this is the real email address it sent with. Think TD would email you from a gmail.com account?
Looking at c), this one shows [email protected] in the From field, followed by that gmail account again in brackets. Here they are trying to trick you by putting in a real email address in the From name part of the From field.
Now, for d) this one just shows the email address, but it is actually the name portion that is displaying, mousing over the From field, will display it’s real email address.
Easy To Be Fooled Isn’t It?
As you can see, it is tricky how they manipulate the system isn’t it. You probably won’t think twice for a) and d), they both look legit at first glance, the others you might be able to catch, but with a little practice you will.
Email clients have been training us wrong all these years, if you look at your inbox now, with all the emails you have received, you probably only see the names listed.
So the first thing you see is an email from TD Canada Trust in your inbox, with the subject with one of those big red exclamation points beside it indicating something is wrong and you need to take a look immediately. Right off the bat, you are on guard and ready to resolve whatever the issue might be.
3. Where Do the Links Take You?
Next we check in the body of the email, hover over any links or buttons. You should see a pop up showing you where it is going to take you.
Now, that doesn’t look like the site you normally go to right? Well, let’s just peak behind the curtain of that site and see what would have happened, if you did click on it.
It takes you to a site that looks just like TD Bank’s Login page. An exact replica! Look at the address bar, that isn’t TD.
What this is, is a fake landing page. They do a masterful job of mimicking the real sites, you can even use all the other links, they take you to the right place, on the real site, but that Username or Access Card and Password field, they don’t go to TD Bank. You enter your details and click enter or press the Submit button. You get a message that the login failed. In the meantime, you are then redirected to the real TD Bank website and get the exact same login page again. This time you can login in just fine.
The Scammers Have What They Wanted
When you logged into the site via the scammers fake site, you handed over your login details to your bank to the bad guys. The site then refreshed, and you ended up on the real site, a real switcharoo just happened right before your eyes. You might think at this point that something smells fishy (phishy), but you look up at the address bar, and you see https://authentication.td.com/, the real site. And you might think you were being over cautious for a reason.
The Best Course Of Action
Think of the 4 P’s.
Always verify who the sender is.
Never click on links or buttons in emails without first pausing and hover over the link to see where you are going first. Or, just don’t click on links or buttons in emails period.
If you are unsure and want to verify, don’t click any links or buttons in emails. Always login to the site the way you normally do, via the bank’s real website.
Remember these emails can come from anybody and have any sort of message within that is trying to get a reaction out of you without thinking first. It might be from the bank, like our example, but it can pretend to be from Canada Services, Canada Revenue Agency, from Netflix, from anywhere…. you can never tell. If they are telling you there is a problem, or that you have to update your billing details, or you just need to confirm something, anything that smells, well, phishy, pause, and take a few moments for your safety.
