ClickFix attack tricks AI summaries into pushing malware

AI Botpress
ManagementMicrosoftNewsWeb

AI summaries turned into ransomware lures

CloudSEK’s proof‑of‑concept shows how manipulated web content can coerce AI summarizers into recommending malicious Windows commands, turning a helpful feature into a social engineering delivery system. By abusing CSS obfuscation and “prompt overdose,” attackers can make hidden instructions dominate the summary and push a ransomware payload. Defenders need to treat AI summaries as untrusted input and harden their ingestion pipelines before this tactic shifts from research to reality.

Points clés

  • CloudSEK published research on a ClickFix proof‑of‑concept that weaponizes AI-generated summaries to deliver malware.
  • ClickFix is a social engineering tactic that prompts victims to execute self‑sabotaging commands via fake errors or calls to action.
  • Microsoft reported threat actor Storm‑1865 impersonated Booking.com to conduct ClickFix attacks over email.
  • A separate incident involved LES Automotive, where more than 100 car dealership websites briefly served malicious code via a phony reCAPTCHA that urged users to run a Windows command.
  • The new POC crafts HTML that hides a payload using CSS tricks (white‑on‑white text, zero‑width characters, tiny fonts, off‑screen positioning) so AI summarizers surface the attacker’s instructions.
  • CloudSEK researcher Dharani Sanjaiy described a “prompt overdose” effect, where repeated hidden directives dominate the summarizer’s context.
  • The showcased payload pushes a PowerShell command via Windows Run, initiating a ransomware infection.
  • Crafted content can be indexed by search engines, posted on forums, or directly distributed; summaries in email clients, browser extensions, and productivity tools can echo the malicious steps.
  • CloudSEK recommends preprocessing HTML to normalize suspicious CSS, adding prompt sanitizers before summarization, and deploying payload pattern recognition.
  • Additional guidance includes enforcing enterprise AI policies and scanning inbound documents and web content across secure email gateways, content management systems, and browser extensions.

À retenir

Rule one: if an AI summary tells you to paste a mystery command into Windows Run, don’t salute — step away from the keyboard. Treat summaries like any other untrusted input: lock down PowerShell, scan inbound content for hidden text, sanitize prompts before they hit your summarizer, and teach users that “friendly” AI can be socially engineered too. Do these basics and you’ll avoid turning your productivity tools into an attacker’s personal help desk.

Sources

Sélection aléatoire d'articles