ClickFix Scams Impersonating MS Defender and Cloudflare Bot Checks Target U.S. Users

• A ClickFix scam has been targeting U.S. users with fraudulent threat detection message
• A fake ‘Windows Defender Security Center’ or Cloudflare bot check pop-up reflects on the screen
• Impersonating the Indo-American Chamber of Commerce, the phishing page locks the screen

Researchers are alerting about a new ClickFix scam urging users to authenticate themselves through malicious Cloudflare and MS Defender checks. The scam shows options to select from to prove the user is a human and not a bot. 

Similar to the common, Verify You are a Human’ test, this ClickFix technique infects systems with malware that get downloaded upon following the onscreen instructions.

Online malware analysis service ANY.RUN posted about the threat with the URLs associated with the phishing attempt, and the target of the scam.

This ClickFix trick is targeted towards U.S. users as was observed during the analysis. 

The page impersonates the Indo-American Chamber of Commerce. The found URL was iaccindia[.]com which reflects a message over the entire screen that reads, “Windows Defender Security Center.”

Displaying the fake security risk message, the page locks the screen and displays tech support contact details to dupe users. 

The domain hosting the fake authentication scam was registered in 2006. These the Indicators of Compromise (IoC) traced by investigators:

• supermedicalhospital[.]com  
• adflowtube[.]com  
• knowhouze[.]com  
• ecomicrolab[.]com  
• javascripterhub[.]com  
• virtual[.]urban-orthodontics[.]com 

This threat impersonates other cybersecurity platforms such as the DDoS mitigation leader Cloudflare.

The Cloudflare trap urges users to execute a malicious Run command on the pretext of displaying a document fully and reviewing the security of the user’s connection.

Users are shown a series of instructions to complete the process leading to successful malware attack. 

It is important for users to not follow such instructions to avoid falling prey to fraudulent security checks. One must close the page and immediately contact the intended website's support team via other channels like their official social media accounts to report and stop scammers.