This information is intended for all Duke Community members and a continuation of the initial alert.

Summary

Threat actors are distributing malware through a technique known as ClickFix by tricking users into copying and executing malicious code in a terminal or command prompt. These attackers have been seen using fake CAPTCHAs, misleading error messages, or other fraudulent pop-ups. Once executed the code downloads malware from a malicious site, stealing passwords, cookies, cryptocurrency wallet details, and other personal and financial info. In addition, attackers are also leveraging social media to trick users.

Problem

A fake CAPTCHA is a security challenge designed to look like a legitimate CAPTCHA but is a scam. Its purpose is to trick users into executing malicious code on their device, which can lead to malware infections and data theft.

fake error message or pop-up is a dialogue box that is designed to look like a legitimate error or warning but is fraudulent. Its purpose is to trick users into executing malicious code, downloading malicious software, or visiting a malicious site.

Threats

Fake CAPTCHAs prompt users to “verify they are human” by copying and pasting code or scanning QR codes that link to malicious scripts.

Examples of Fake CAPTCHAs
Fake CAPTCHA asking user to copy and paste text into the Windows terminal to verify they are not a robot.
Fake CAPTCHA asking user to copy and paste text into the Mac terminal to verify they are not a robot.
Fake CAPTCHA asking user to copy and paste text into the Linux Run Dialog to verify they are not a robot.
Fake CAPTCHA asking user to scan a QR code to verify they are not a robot.
Fake captcha asking user to copy and paste text into the Windows terminal to verify they are not a robot by using keyboard icons and the Cloudflare logo..

Fake Error Messages and Pop-ups claim a problem or issue can be fixed by running a command.

Examples of Fake Pop-ups and Error Messages
Fake error message in Chrome browser asking a user to copy and paste text into the Windows terminal to verify they are not a robot.
Fake error message in a Firefox browser asking the user to copy and paste text into the Windows terminal to verify they are not a robot.
Fake error message in Edge browser tricking user to copy and paste malicious code into their terminal.
Fake Facebook error message asking user to copy and paste text into the Windows terminal to connect with people.
Fake error message using a fake Google Meet webpage that tricks a user into running code by copying and pasting into a terminal.

Malicious social media posts are used to encourage users to run suspicious code under false pretenses such as obtaining free software or fake job postings.

Malicious Social Media Posts
A malicious social media post on TikTok tricking users to run code for free software but instead they are downloading malware.

 

HOW WE PROTECT DUKE

  • Avoid interacting with CAPTCHA pages or error messages that seem out of place or unusual.
  • Be cautious of suspicious CAPTCHA pages or error messages.
  • Block Pop-Ups using your browser settings.
  • Clear the clipboard because it likely contains an executable command.
  • Duke will never ask you to perform commands in an email or on a website.
  • Never execute Terminal commands prompted by websites through CAPTCHAs, error messages, or other verification interfaces.
  • Update your software and applications.

if you spot one

  • Take a screenshot of the CAPTCHA or error message and report the page you were visiting to security@duke.edu and any additional steps you may have taken.
  • If you got to the site by clicking a link in an email, use the “report message” button.

ReferenceS