News Archives - Information Security /uit/infosec/category/news/ Wed, 22 Apr 2026 19:42:56 +0000 en-CA hourly 1 https://wordpress.org/?v=6.9.4 Fake CAPTCHA, Real Threat: ClickFix Social Engineering Attacks /uit/infosec/2026/04/22/fake-captcha-real-threat-clickfix-social-engineering-attacks/ Wed, 22 Apr 2026 19:36:36 +0000 /uit/infosec/?p=2678 ClickFix attacks are a rapidly evolving threat that use fake CAPTCHA pages to trick people into running malicious commands (often PowerShell) on their own devices. In every ClickFix case, the attacker relies on one thing: your participation. Most traditional phishing attempts and malicious sites are filtered or blocked long before they reach you. That’s why […]

The post Fake CAPTCHA, Real Threat: ClickFix Social Engineering Attacks appeared first on Information Security.

]]>
ClickFix attacks are a rapidly evolving threat that use fake CAPTCHA pages to trick people into running malicious commands (often PowerShell) on their own devices. In every ClickFix case, the attacker relies on one thing: your participation. Most traditional phishing attempts and malicious sites are filtered or blocked long before they reach you. That’s why ClickFix pushes you to take extra steps yourself. By convincing you to run a command, the attacker gets past the protections already set in place and installs malware that would otherwise be detected.

What is ClickFix?

ClickFix is a social engineering technique where attackers compromise legitimate websites and replace normal verification steps such as CAPTCHAs with fake prompts, and instruct users to run malicious commands on their computers. These commands often involve opening the Windows Run dialog or PowerShell and pasting in a script that appears to “fix” a problem or “verify” the user. In reality, the script is being used to download malware that compromises your device.

This technique has been observed across higher‑education institutions and is increasingly used to deploy malware families such as , a backdoor capable of downloading additional payloads, collecting system information, and maintaining persistence on the device.

How does it Work?

ClickFix attacks follow a simple pattern:

  1. You click on a link from a search result or ad, and as the page loads, a strange-looking CAPTCHA or pop‑up appears unexpectedly.
  2. Instead of asking you to click images or check a box, it tells you there’s a “problem” and you need to run a command to continue.
  3. The page instructs you to open Windows + R, PowerShell, or Terminal and paste in a line of text.
  4. That command silently downloads malware onto your device. In many cases, it installs a backdoor such as CORNFLAKE.V3, which can download additional malicious files onto your system, collect system information, and stay hidden on your machine.

Because the attacker convinces you to run the command, your device treats it as a trusted action, making it much harder for security tools to block.

How Can I Spot a ClickFix Attempt?

Exercise caution towards any unfamiliar website, email, or popup that:

  • Asks you to open Windows Run (Windows + R)
  • Tells you to paste a command into PowerShell or Terminal
  • Claims you must run a script to “fix,” “verify,” or “continue”
  • Appears immediately after clicking a search result or ad
  • Displays a CAPTCHA that looks unusual, low‑quality, or out of place

If you encounter instructions like:

“Press Windows + R and paste the following command…”

…it is almost certainly malicious.

If you suspect you may have interacted with a ClickFix prompt, please report it to the Information Security Team immediately (infosec@yorku.ca).

References:

  • https://unit42.paloaltonetworks.com/preventing-clickfix-attack-vector/
  • https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
  • https://cloud.google.com/blog/topics/threat-intelligence/analyzing-cornflake-v3-backdoor/

The post Fake CAPTCHA, Real Threat: ClickFix Social Engineering Attacks appeared first on Information Security.

]]>
Cybersecurity Awareness Month - October 2025 /uit/infosec/2025/09/30/cybersecurity-awareness-month-october-2025/ Tue, 30 Sep 2025 20:12:30 +0000 /uit/infosec/?p=2169 October is Cybersecurity Awareness Month! 🎉 Throughout the month, the Information Security team will be sharing weekly cyber-focused themes, helpful resources, and interactive activities, all posted on our dedicated Cybersecurity Awareness Month page. Be sure to check in each week for new content to keep you informed, engaged, and up to date on 91ɫ’s latest […]

The post Cybersecurity Awareness Month - October 2025 appeared first on Information Security.

]]>

October is Cybersecurity Awareness Month! 🎉

Throughout the month, the Information Security team will be sharing weekly cyber-focused themes, helpful resources, and interactive activities, all posted on our dedicated Cybersecurity Awareness Month page.

Be sure to check in each week for new content to keep you informed, engaged, and up to date on 91ɫ’s latest cybersecurity initiatives.

The post Cybersecurity Awareness Month - October 2025 appeared first on Information Security.

]]>
Duo's Self-Service Device Management (SSDM) portal /uit/infosec/2024/10/18/duos-self-service-device-management-ssdm-portal/ Fri, 18 Oct 2024 14:34:00 +0000 /uit/infosecdev/?p=1654 Duo has also introduced a new Self-Service Device Management (SSDM) portal to allow users to access the device management interface directly. This will allow users to add/remove devices without the help of IT/Help Desk staff. To access Duo SSDM, please visit https://yorku.login.duosecurity.com/ and login with your Passport 91ɫ credentials. Once inside the portal, users will be able to add, […]

The post Duo's Self-Service Device Management (SSDM) portal appeared first on Information Security.

]]>
Duo has also introduced a new Self-Service Device Management (SSDM) portal to allow users to access the device management interface directly. This will allow users to add/remove devices without the help of IT/Help Desk staff.

To access Duo SSDM, please visit  and login with your Passport 91ɫ credentials. Once inside the portal, users will be able to add, remove and configure their authentication devices independently.

Benefits:
Users no longer need to reach out to IT staff for help with managing their devices. The new SSDM portal will equip users with the autonomy to manage their own authentication, improving the overall efficiency of Duo MFA.

What Devices and Duo Versions are compatible with the new SSDM?
Supported iOS and Android versions:
The current version of Duo Mobile supports iOS 15.0 or greater and Android 11 or greater.

Supported Browsers:
Duo Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile) and Edge.

Note:
Not all browsers support all Duo authentication methods. Although we do not require users to download the Chrome browser, Duo recommends Chrome for the most seamless user experience and widest compatibility.

The supported browsers are listed below:
• Google Chrome
• Safari
• Firefox
• Microsoft Edge

For more information, please refer to the following  from Duo.

Please contact askit@yorku.ca if you have any questions or concerns.

The post Duo's Self-Service Device Management (SSDM) portal appeared first on Information Security.

]]>
Upcoming Change to Duo 2FA Prompt /uit/infosec/2024/04/17/upcoming-change-to-duo-2fa-prompt/ Wed, 17 Apr 2024 15:24:21 +0000 /uit/infosecdev/?p=1248 As part of planned updates to 91ɫ’s Duo 2FA service, the Duo login prompt will change to a refreshed and modernized look that is better optimized for desktop and mobile experiences - known as the Duo Universal Prompt. There are no functionality changes to Duo and the service will continue to be part of your […]

The post Upcoming Change to Duo 2FA Prompt appeared first on Information Security.

]]>

As part of planned updates to 91ɫ’s Duo 2FA service, the Duo login prompt will change to a refreshed and modernized look that is better optimized for desktop and mobile experiences - known as the Duo Universal Prompt. There are no functionality changes to Duo and the service will continue to be part of your Passport 91ɫ and yuoffice/O365 logins as usual.

When will this occur: The new prompt will replace the current one on March 20, 2024.

Traditional Prompt:

New Duo Universal Prompt:

Note: The "Remember this device" option has changed from a checkbox to answering the "Is this your device" question:

Supported iOS and Android versions:

The current version of Duo Mobile supports iOS 13.0 or greater and Android 8 or greater.

Supported Browsers:

The Universal Prompt supports Chrome (Desktop and Mobile), Firefox, Safari (Desktop and Mobile), Edge, and Internet Explorer. Not all browsers support all Duo authentication methods, so for the widest compatibility we recommend Chrome.

The minimum supported version for all browsers are listed below:

  • Google Chrome 38.0
  • Safari 9
  • Firefox 47.0
  • Microsoft Edge 17
  • Internet Explorer 11

What do I need to do?

If you enabled automatic app updates on your device, the Duo Mobile app will update automatically. Otherwise, you need to manually update the app on your device.

Additional Resources:

The post Upcoming Change to Duo 2FA Prompt appeared first on Information Security.

]]>
Upcoming Changes to the Phish Reporter Button /uit/infosec/2023/07/19/upcoming-changes-to-the-phish-reporter-button/ Wed, 19 Jul 2023 15:40:04 +0000 /uit/infosecdev/?p=267 As of August 2nd, UIT is making changes to the current “Report Phishing” button in Outlook. Users will see the existing button with the “fish” icon be replaced by a new version that is integrated with new Microsoft email protection technologies. The new button has a different icon but works similarly and provides more immediate […]

The post Upcoming Changes to the Phish Reporter Button appeared first on Information Security.

]]>

As of August 2nd, UIT is making changes to the current “Report Phishing” button in Outlook. Users will see the existing button with the “fish” icon be replaced by a new version that is integrated with new Microsoft email protection technologies. The new button has a different icon but works similarly and provides more immediate reporting and response capability for suspicious messages. In addition to reporting the message to Information Security, messages will be automatically processed to improve filtering and help identify similar phishing attempts.

What is changing?

The look of the button is changing from:

to

Behind the scenes, the new button is connected to an entirely new mechanism for phishing reporting and response to improve effectiveness.

Note that there is no change to the phishing button for 91ɫ’s Google G-suite email for students.

For more information please see the Report Phishing service page on the UIT Information Security website.

Behind the scenes, the new button is connected to an entirely new mechanism for phishing reporting and response to improve effectiveness.

Note that there is no change to the phishing button for 91ɫ’s Google G-suite email for students.

For more information please see the Report Phishing service page on the UIT Information Security website.

The post Upcoming Changes to the Phish Reporter Button appeared first on Information Security.

]]>