Updated on Nov. 28 with a new porn-related attack now targeting users..
This is wild and new. Attackers have worked out that malicious emails pushing links to adult sites will solicit plenty of clicks. Unfortunately, those clicks trigger a fake update that installs dangerous malware on your device. As tempting as it may be — do not click.
The team at Acronis warn the “novel ‘JackFix’ attacks” combine “screen hijacking techniques with ClickFix, displaying a realistic, full-screen Windows Update of ‘Critical Windows Security Updates’ to trick victims into executing malicious commands.”
We have seen plenty of seemingly innocuous lures to drive ClickFix attacks, most being fake captchas and technical support pop-ups. But this new campaign “leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism.”
Acronis says “the adult theme, and possible connection to shady websites, add to a victim’s psychological pressure, making victims more likely to comply with sudden ‘security update’ installation instructions.”
The attack itself hijacks a PC’s entire screen, “displaying an authentic looking Windows Update screen — complete with the appropriate animations, a counting-up percentage of progress and the appearance of going full screen.”
The attack is executed entirely within the PC’s browser, and Acronis says the resulting screen hijacking “is something we haven’t seen done before this campaign, but the principle is well proven and goes back over 15 years.” The adult content is the new twist on a theme, enticing users to click before “the trap is sprung.”
Psychologically, the lure is designed to catch you when you’re on edge, clicking something you know you probably shouldn’t. And so when an urgent security update screen opens, you’re more likely to be tricked into engaging.
Staying safe is easy. Don’t access adult sites from links in emails or messages or pop-ups. As with any other website, access it directly using the usual means.
It’s not only fake porn sites trying to trick Windows users into clicking where and when they shouldn’t. A new campaign, flagged on X, warns that an “infostealer is being delivered by an in-browser fake Windows Update, abusing the Fullscreen API (on-click), and using ClickFix-style lures to trick users.”
And separately, the team at Huntress has flagged a “multi-stage malware execution chain, originating from a ClickFix lure, that leads to the delivery of infostealing malware, including LummaC2 and Rhadamanthys.”
In this other instance, it’s steganography — concealing malicious code in images — rather than more illicit lures that has been deployed. “The malicious code is encoded directly within the pixel data of PNG images, relying on specific colour channels to reconstruct and decrypt the payload in memory.”
As ever with ClickFix, the campaigns are designed to trick a user into attacking their own devices. Never copy and paste or run code when prompted to do so by an attachment, a link or a pop-up.
While this porn-related malware is very real, the bigger threat to users remains scam emails and messages that seek to scare users into believing their devices have been hacked and their use of adult content recorded in some way.
The emails threaten to share images or videos with family, friends and colleagues, because they have also — they say — stolen contact lists. The messages are fake. It’s a lure built on the popularity of adult sites and the likelihood you’ll feel compromised.
The psychology is the same as with the malware attack. You’re viewing or have viewed illicit content, and so you’re more susceptible to a scam.
A new attack this week comes by way of an email that begins: “About few weeks ago I have gained a full access to all devices used by you for internet browsing. Shortly after, I started recording all internet activities done by you.”
The nasty trick in this campaign is that the sender’s email address will be the same as your own. “As you can see, I managed to log in to your email account.”
The email goes on to say that “I assure you, because I have spent a lot of effort while recording and tracking down all your activities and dirty deeds during a long period of time. You have only 40 hours and countdown has started once you opened this email.”
This email address spoofing is powerful – but it’s fake nonetheless.
Do not be alarmed. As a rule of thumb, if you have really been compromised, an attacker will make it clear that’s been achieved with evidence — it won’t be ambiguous. Do not pay. Do not click any links. Do not even reply to any emails. Ignore and delete.