- Security researchers found clickfix attacks that develop to target other operating systems
- On Android and iOS, the attack is particularly disturbing as it turns into a drive-by attack
- Malware is already marked by antivirus programs
Clickfix, a notorious hacking technique that fools people to run malware and think they are solving a problem on their computer, has evolved, experts have warned.
New research from C/Side has revealed what used to be a Windows-only attacking method that is now also capable of targeting macOS, iOS and Android devices.
In a blog post analyzing the development, the researchers said the new attack starts with a compromised site. The threat actors injected JavaScript code that redirected users to a new browser tab as they clicked on certain items on the page. The new tab then shows a page that looks like a legitimate URL abbreviation, with a message to copy and paste a link into the browser – and make it trigger another redirection, this time to a download page.
Retrieving the malicious payload
Here, where the technique differs, depending on the victim’s operating system.
On MacOS, the attack leads to a terminal command that fetches and performs a malicious shell script already marked by several antivirus programs.
On Android and iOS things are even worse as the attack no longer requires any user interaction.
“When we tested this on Android and iOS, we expected a clickfix variant. But instead we came across a drive-by attack,” the researchers explained.
“A drive-by attack is a type of cyberattack in which malicious code is performed or downloaded on a device by simply visiting a compromised or malicious web page. No clicks, installations or interaction required.”
In this case, the site downloads a .tar archive file that holds malware. This one too was already marked by at least five antivirus programs.
“This is a fascinating and evolving attack that demonstrates how attackers expand their reach,” explained C/Side. “What started as a Windows-specific clickfix campaign is now targeted at macOS, Android and iOS, which extends the extent of the operation.”
