DriveSurge Threat Actor Uses ClickFix and FakeUpdate Attacks Across Thousands of Compromised Sites
The DriveSurge threat actor has been identified running extensive malware distribution operations by compromising thousands of websites and implementing ClickFix and FakeUpdate attack techniques. These campaigns serve to propagate malicious payloads through deceptive user interactions on the hijacked sites.
What happened
Security researchers observed that the threat actor known as DriveSurge has compromised thousands of websites to run large-scale malware distribution campaigns. The attacker uses two main infection vectors called ClickFix and FakeUpdate, which trick site visitors into executing malicious actions that lead to malware installation. These techniques rely on social engineering embedded within the compromised web pages to deceive users into interacting with false prompts.
Why it matters
The large-scale nature of these attacks indicates a significant threat to website visitors across a wide range of industries and geographies. By hijacking legitimate websites, DriveSurge increases the chance of successful malware infections since users are more likely to trust familiar domains. The use of ClickFix and FakeUpdate techniques shows a shift towards more sophisticated social engineering tactics that complicate detection and mitigation.
What security teams should do
Security teams should prioritize scanning and remediating compromised websites to remove malicious scripts associated with these campaigns. Additionally, monitoring for unusual user interactions and web traffic patterns can help identify ongoing exploitation attempts. Ensuring that web application security controls are up to date, including regular patching and vulnerability assessments, can reduce the risk of compromise by actors like DriveSurge.
Key technical details
The ClickFix technique employed by DriveSurge involves prompting users to interact with fake 'fix' buttons or alerts that appear as legitimate browser or site notifications but trigger malware downloads. The FakeUpdate method deceives users into downloading what appears to be legitimate software updates, which are in fact malicious payloads. These attack vectors are embedded in compromised websites, making use of social engineering and script injection to initiate infections.
Affected organizations/products
Thousands of websites compromised by the DriveSurge threat actor have been identified as vectors for these campaigns. Specific industries or types of sites affected were not detailed in the source material.
Source attribution
