This Windows Update Pop-up Is a Scam.
The update screen is a common sight on Windows computers, so hackers naturally exploit it to inject malware onto devices. This scheme, a recent version of the ClickFix attack , is designed to trick you into running a dangerous command under the guise of installing a “critical security update.” But in reality, you’re installing an infostealer that leaks your data to the attackers.
When a Windows Update Pop-Up Is Actually a ClickFix Attack
ClickFix is a social engineering method that uses tricks such as fake error messages, CAPTCHA forms, and command prompts to deliver malware to your device. As PCMag reports , the Windows update scam consists of a pop-up window that looks like a standard Windows blue screen, but is actually a full-screen browser page displayed from a malicious domain.
The ClickFix element is a series of keystrokes ( not part of the actual update interface) that tricks the user into entering and executing a malicious command, ultimately downloading malware to the device. These instructions appear extremely urgent, which is a common scam.
Researchers from cybersecurity firm Huntress detailed the precise mechanics of this attack, including an iteration in which users are prompted to verify their identity (rather than perform a security update). As Bleeping Computer notes , the malicious code is injected into the pixel data of PNG images, and its final payload is one of two known methods of information theft.
According to Huntress’ analysis, following a recent law enforcement operation, fake Windows update pages continue to exist on several domains, but they no longer appear to be hosting malicious payloads. However, this doesn’t mean this attack or a variant of it won’t reappear elsewhere.
How to protect yourself from the ClickFix attack
If you have Windows installed on your device, you’ve likely seen blue or black update screens or error messages many times. If your computer randomly initiates an update or prompts you to perform additional steps to confirm, you might not suspect anything. However, while a genuine update screen displays a progress bar and instructs you not to turn off your computer, you should never enter any commands manually. This is a warning sign of a ClickFix attack, not something a trusted service requires.
Of course, it’s important to keep your computer up to date. Microsoft releases security updates on the second Tuesday of the month, known as “Patch Tuesday,” and you can enable automatic updating on your computer to receive fixes as soon as they become available.
If you want to take additional steps to prevent ClickFix attacks on Windows, you can disable the Run window in Windows to prevent unauthorized access to commands.