Even ‘Prove You’re Not a Robot’ Checks Aren’t Safe From Scammers

Researchers at the cybersecurity firm Huntress are sounding the alarm over ClickFix, a platform that typically helps online communities manage and report issues related to public services and infrastructure. But a particular variant seems to be targeting Windows users with a fraudulent security check. The attack claims to verify that the user is human, not a bot—but in actuality, it installs malware that can steal the user's data.

The fake security check tells people to press the Windows key + R to open the Run window, then Ctrl + V to paste a command supposedly copied to their clipboard. When users press Enter, they're not actually kickstarting a crucial Windows update; they're running malicious code that installs the LummaC2 and Rhadamanthys malware families. These malware variants are known to steal sensitive information, like passwords and authentication tokens, putting everything from personal accounts to business credentials at risk.

Huntress ...