What is ClickFix?

ClickFix is a social engineering technique where attackers compromise legitimate websites and replace normal verification steps such as CAPTCHAs with fake prompts, and instruct users to run malicious commands on their computers. These commands often involve opening the Windows Run dialog or PowerShell and pasting in a script that appears to “fix” a problem or “verify” the user. In reality, the script is being used to download malware that compromises your device.

This technique has been observed across higher‑education institutions and is increasingly used to deploy malware families such as , a backdoor capable of downloading additional payloads, collecting system information, and maintaining persistence on the device.

How does it Work?

ClickFix attacks follow a simple pattern:

1. You click on a link from a search result or ad, and as the page loads, a strange-looking CAPTCHA or pop‑up appears unexpectedly.
   
2. Instead of asking you to click images or check a box, it tells you there’s a “problem” and you need to run a command to continue.
   
3. The page instructs you to open Windows + R, PowerShell, or Terminal and paste in a line of text.
   
4. That command silently downloads malware onto your device. In many cases, it installs a backdoor such as CORNFLAKE.V3, which can download additional malicious files onto your system, collect system information, and stay hidden on your machine.

Because the attacker convinces you to run the command, your device treats it as a trusted action, making it much harder for security tools to block.

How Can I Spot a ClickFix Attempt?

Exercise caution towards any unfamiliar website, email, or popup that:

• Asks you to open Windows Run (Windows + R)
• Tells you to paste a command into PowerShell or Terminal
• Claims you must run a script to “fix,” “verify,” or “continue”
• Appears immediately after clicking a search result or ad
• Displays a CAPTCHA that looks unusual, low‑quality, or out of place

If you encounter instructions like:

“Press Windows + R and paste the following command…”

…it is almost certainly malicious.

If you suspect you may have interacted with a ClickFix prompt, please report it to the Information Security Team immediately (infosec@yorku.ca).

References:

• https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
• https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
• https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/

The post Fake CAPTCHA, Real Threat: ClickFix Social Engineering Attacks appeared first on Information Security.

The impersonation site is NOT affiliated with �첥��Ƶ and should be considered malicious. Do NOT enter your username, credentials, Duo 2FA codes, or any other personal information on this site as this may result in unauthorized access to your accounts.

The fraudulent site uses the URL <www.yorkuonline.com>, an image is shown below for reference:

Red Flags to Watch Out For

Unsolicited messages directing you to log in:
Messages claiming your account will be disabled, your mailbox is full, or your access is expiring are common tactics used to lure users to fake login pages.

Suspicious URL:
Official �첥��Ƶ login pages always use domains ending in yorku.ca. Any variation such as extra characters, misspellings, unfamiliar subdomains should be treated as suspicious.

Unexpected login prompts:
If you are asked to “verify your account”, “update your credentials” or “restore access” after clicking a link you did not expect, this is a strong indicator of a phishing attempt.

Requests for Duo/MFA passcodes:
�첥��Ƶ will never ask you to enter Duo 2FA codes outside of the official login process. Any site requesting your passcode directly should be considered malicious.

If you encounter any emails or messages directing you to this site, please report it using the Report Phishing button or forward the message to phishing@yorku.ca.

If you have already entered your credentials into the malicious site, change your password immediately by visiting . If you have any questions or concerns, please contact infosec@yorku.ca.

The post Phish Alert - Malicious Website Impersonating �첥��Ƶ appeared first on Information Security.

Key details of the phishing email:

Subject: "Winter 2026 Term Commencement – Important Information"
Date: January 5, 2026
Sender: admin@gpaindustria.onmicrosoft.com

Red Flags to Watch Out For:

Suspicious sender email: The sender's email address is not associated with �첥��Ƶ’s official IT services (email was NOT sent from an @yorku.ca address).
Urgency and financial motivation: The email pressures you to act quickly, using the false promise of disclosing details pertaining to a fake Fall Bonus in exchange for submitting personal information.
Request for personal details: �첥��Ƶ would NEVER ask for passwords, Duo/MFA passcodes, or other sensitive information via email.

What to Do:
Do not respond to this email or provide any personal information.
Do not click any links or open attachments that may be included.
Report the email: If you received this phishing attempt, please report it using the Report Phishing button or forward it to phishing@yorku.ca

The post Phish Alert - Winter 2026 Term Commencement – Important Information appeared first on Information Security.

Severity level:-

CVSS Score: 10.0 / Critical.

Description:- The vulnerability has been identified in React Server Components (also known as React.js or ReactJS) “Flight” protocol affecting React 19 ecosystems and frameworks that implement it, most notably Next.js. The issue arises from insecure deserialization that allows unauthenticated remote code execution (RCE). When a malicious actor crafts a specific HTTP request, the flaw in React's deserialization process can enable them to execute arbitrary code on an unpatched server.

Affected Versions :-   

• React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0
• Next.js version 14.3.0-canary.77, 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7 and 16.0.7

Impact:-

An unauthenticated attacker could craft a malicious HTTP request to any Server Function endpoint that, when deserialized by React, achieves remote code execution on the server. Exploit code is publicly available and exploitation is actively occurring.

Resolution:-

Administrators should upgrade to the latest patched version in their release line.

Reference:-

UIT Information Security

The post Remote Code Execution Vulnerability in React and Next.js Frameworks appeared first on Information Security.

Red Flags to Watch Out For:

Suspicious sender email: The sender's email address is not associated with �첥��Ƶ’s official IT services (email was NOT sent from an @yorku.ca address).
Urgency and financial motivation: The email pressures you to act quickly, using the false promise of disclosing details pertaining to a fake Fall Bonus in exchange for submitting personal information.
Request for personal details: �첥��Ƶ would NEVER ask for passwords, Duo/MFA passcodes, or other sensitive information via email.

What to Do:
Do not respond to this email or provide any personal information.
Do not click any links or open attachments that may be included.
Report the email: If you received this phishing attempt, please report it using the  or forward it to phishing@yorku.ca

The post Phish Alert - Notification of Eligibility: Fall 2025 Bonus at �첥��Ƶ appeared first on Information Security.

�첥��Ƶ's Information Security team is aware of a spike in false positive antivirus detections by Windows Defender against benign activity in the powershell.exe and svchost.exe processes. The issue is believed to have begun around the evening of November 26th, 2025, and had widespread impact on November 27th, 2025. Impacted computers displayed periodic desktop notifications and may have prevented webcams from functioning. A sample false positive detection is pictured below:

The cause of the issue appears to have been an issue in a recent version of Microsoft Defender's security intelligence (cloud-based updates). The issue is believed to have impacted other organizations, not just �첥��Ƶ. Microsoft has acknowledged the issue and confirmed that it was fixed in security intelligence version 1.441.548.0.

Most computers should have received a patched security intelligence update by the time of writing as they are generally updated automatically. However, users still experiencing this issue can update their security intelligence manually. To do so, open the Windows Security app, go to Virus & threat protection, click on Protection updates, and click on Check for updates.

The post Microsoft Defender False Positive Detections on PowerShell and svchost: Win32/AMSI_Patch.A appeared first on Information Security.

The post Phish Alert - Important: Your Eligibility for the Fall 2025 Bonus Payment / Notification of Eligibility: Fall 2025 Bonus at �첥��Ƶ appeared first on Information Security.

Key details of the phishing email:

• Subject:��16.89 % Salary Increase Letter Wednesday, November 5, 2025
• Sent:��November 5th, 2025
• Sender: harry.ruda@utoronto.ca

The email falsely claims to provide salary increase information enclosed in an attached PDF file titled "�첥��Ƶ (1).pdf", which later directs users to submit their credentials and personal information into a malicious webpage.

Red Flags to Watch Out For:

1. Suspicious sender email:��The sender's email address is not associated with �첥��Ƶ’s official IT services (email was��NOT��sent from an @yorku.ca address).
2. Urgency and financial motivation:��The email pressures you to act quickly, using the false promise of disclosing details pertaining to a salary increase.
3. Request for personal details:���첥��Ƶ would��NEVER��ask for passwords, Duo/MFA passcodes, or other sensitive information via email.

What to Do:

• Do not respond��to this email or provide any personal information.
• Do not click��any links or open attachments that may be included.
• Report the email:��If you received this phishing attempt, please report it using the����or forward it to��phishing@yorku.ca

The post Phish Alert - 16.89 % Salary Increase Letter Wednesday, November 5, 2025 appeared first on Information Security.

"Watchtower Alert: Password Issue Detected

If you receive the phishing email described above or any other similarly suspicious emails claiming to be from 1Password, please do��NOT��click on any links within the email and submit your credentials or respond to the scammer. You can report this activity to our team using the����or by forwarding it to��phishing@yorku.ca.

Red Flags to watch out for:

• Sender impersonation: The email may appear to come from “watchtower@eightninety.com” or similar addresses.
• Urgent language: Subject lines like “Watchtower Alert: Password Issue Detected” are used to provoke panic.
• Fake login page: Clicking the link directs users to a site mimicking 1Password’s interface, but hosted on a malicious domain.
• Subtle visual cues: The phishing page uses accurate branding and design elements, making it difficult to distinguish from the real site.
  

Additional Resources

• /uit/infosec/online-safety-tips/

The post Phish Alert - Beware of Sophisticated Phishing Campaign Targeting 1Password Users appeared first on Information Security.

October is Cybersecurity Awareness Month!

Throughout the month, the Information Security team will be sharing weekly cyber-focused themes, helpful resources, and interactive activities, all posted on our dedicated Cybersecurity Awareness Month page.

Be sure to check in each week for new content to keep you informed, engaged, and up to date on York’s latest cybersecurity initiatives.

The post Cybersecurity Awareness Month - October 2025 appeared first on Information Security.