The update screen is a normal occurrence on Windows machines, so of course hackers are now manipulating it to sneak malware onto devices. The scheme, a recent iteration of a ClickFix attack, is designed to trick you into executing a dangerous command under the guise of completing a “critical security update.” But what you’re actually doing is installing an infostealer that hands data over to bad actors.
When a Windows update pop-up is actually a ClickFix attack
ClickFix is a social engineering ploy that uses tactics like fake error messages, CAPTCHA forms, and command prompts to deliver malware to your device. As PCMag reports, the Windows update scam is a pop-up that looks like a standard Windows blue screen but is actually a full screen browser page being displayed from a malicious domain.
The ClickFix element is a set of keystrokes—not part of the real update interface—that have the user paste and execute a malicious command, ultimately delivering malware to their device. These instructions have an air of urgency, which is a common element of a scam.
Researchers at cybersecurity firm Huntress have detailed the exact mechanism behind this attack, including an iteration in which users are prompted to verify they are human (rather than complete a security update). As Bleeping Computer outlines, the malicious code is embedded into the pixel data of PNG images, and the final payload is one of two known infostealers.
According to the Huntress analysis, following a recent law enforcement operation, fake Windows update pages continue to exist across multiple domains, but those domains no longer seem to host the malware payload. That doesn’t mean, however, that this attack, or some version of it, won’t pop up elsewhere.
What do you think so far?
How to stay safe from this ClickFix attack
If you run Windows on your device, you’ve probably seen a blue or black update or error screen many times, and you may not be suspicious if your computer randomly begins an update or prompts you to take an extra step to confirm it. But while a legitimate update screen will have a progress indicator and instructions not to turn off your computer, you should never need to input manual commands. This is a red flag of a ClickFix attack and not something a trusted service will require.
Of course, it’s important to keep your computer up to date. Microsoft releases security updates on the second Tuesday of the month, known as Patch Tuesday, and you can enable automatic updates on your machine to ensure you get fixes as soon as they’re available.
If you want to take additional steps to prevent ClickFix attacks on Windows, you can disable the Windows Run box to prevent unauthorized access to commands.