PC Attacks—Do Not Open Any Website If It’s On This List

By Zak Doffman, Contributor. Zak Doffman writes about security, surveillance and privacy.

“If it looks like a duck,” starts the so-called Duck Test, then it’s probably a duck. And sometimes, cybersecurity threats are just as simple to detect. So it is with the ClickFix attacks now running riot across PCs worldwide. Forget the lure. If a popup window or website asks you to copy and paste text into a prompt, then don’t. It’s an attack.

The latest warning comes from the investigators at DomainTools, with “threat actors exploiting human trust” through “Prove You Are Human” malware. This is ClickFix meets CAPTCHA, the fiddly little tests that ask you to pick out bikes or rearrange the pieces of a jigsaw puzzle. The copy and paste is presented as the human test.

DomainTools warns it has unearthed a “malicious campaign that uses deceptive websites, including spoofed Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts on their Windows machines.” Those scripts “download and execute multiple stages of additional scripts, ultimately leading to the installation of the NetSupport remote access trojan (RAT)."

With ClickFix, the dangerous script isn’t copied and pasted by the victim, it’s hosted elsewhere and retrieved by more innocuous text that is copied and pasted. This second stage, “also functioned as downloaders, making 3 or more web requests to retrieve and execute a third stage of scripts from other domains, which then retrieve and run a fourth stage resulting in NetSupport RAT running on the victim host.”

DomainTools being DomainTools, the team investigated and uncovered a broader malware ecosystem underpinning these attacks, with a raft of malicious domains registered for that purpose. This includes “Docusign spoofed websites," crafted to trick users into thinking a form or install page is legitimate.

One such example, docusign.sa[.]com/verification/s.php, was encoded with a cipher “to avoid signature detections and obfuscation.” In this case, that’s ROT13, “in which a simple letter substitution replaces each letter with the 13th letter after it in the alphabet. Completing this operation twice effectively decodes the text.”

The page presented back to the victim “is designed to look like a Cloudflare ‘Checking your browser’ / CAPTCHA page, mixed with Docusign branding.” This leads to so-called Clipboard Poisoning, which secretly copies text to the clipboard without the user realizing. “The user is instructed to (Win+R, Ctrl+V, Enter) or in other words, open their Window Run prompt, copy in the malicious script, and run it.”

Fortunately, all these ClickFix attacks do require you to open a prompt, paste in text and then hit Enter. The obfuscation might disguise the lead-up to the attack, but if you know never to paste and execute and such command regardless of the lure, you will be protected from these attacks. DomainTools says this latest attack “capitalizes on user trust and familiarity with common online interactions, such as document verification and code sharing platforms.” But if you can’t be tricked into the final act, you’re fine.

In its latest report, Gen (the company behind Norton and Avast) warns “the most dangerous attacks aren’t always the ones that sneak in unnoticed — they are often the ones that make you open the door yourself. Scam-Yourself Attacks rely on well-crafted social engineering tactics, designed to trick users into infecting their own devices.”

But again, while “ClickFix and FakeCaptcha continue to evolve,” including “interactive image-based CAPTCHAs mimicking the classical ‘select all the traffic lights’ puzzle.,” the net result is the same. “After selecting the image, the user is once again redirected to the common set of malicious steps which result in infecting the user’s device.”

Here are a list of other websites to look out for:

0xpaste[.]com

aitradingview[.]app

aitradingview[.]dev

batalia-dansului[.]xyz

battalia-dansului[.]com

betamodetradingview[.]dev

betatradingview[.]app

betatradingview[.]dev

charts-beta[.]dev

codepaste[.]io

dans-lupta[.]xyz

dev-beta[.]com

devbetabeta[.]dev

devchart[.]ai

developer-ai[.]dev

developerbeta[.]dev

developer-beta[.]dev

developer-mode[.]dev

developer-package[.]dev

developer-update[.]dev

devmodebeta[.]dev

devmode-beta[.]dev

devtradingview[.]ai

devtradingview[.]net

dev-update[.]dev

docusign[.]sa[.]com

docusign[.]za[.]com

docusimg[.]sa[.]com

docusingl[.]sa[.]com

docusingle[.]sa[.]com

gitcodes[.]app

gitcodes[.]io

gitcodes[.]net

gitcodes[.]org

gitpaste[.]com

givcodes[.]com

hubofnotion[.]com

jeffsorsonblog[.]dev

loyalcompany[.]net

mhousecreative[.]com

modedev[.]ai

modedeveloper[.]ai

modedeveloper[.]com

modedevs[.]ai

nsocks[.]net

oktacheck.it[.]com

pasteco[.]com

pastefy[.]com

pastefy[.]net

pastefy[.]pro

tradingviewai[.]dev

tradingview-ai[.]dev

tradingviewbeta[.]dev

tradingview-beta[.]dev

tradingviewdev[.]com

tradingviewindicator[.]dev

tradingviewtool[.]com

tradingviewtoolz[.]com

tradingviewtradingview[.]dev

updatebeta[.]app

How To Make A Good Password – 4 Strong Password ExamplesLearn how to create a strong and reliable password with helpful examples and tips to protect your online accounts from threats.

15 Tips To Help You Protect Yourself From Identity Theft And Related Tax FraudIn 2024, consumers reported that most identity fraud incidents happened in the summer months. Here are 15 tips to help you protect yourself from identity theft.

Page updated

Google Sites

Report abuse