ClickFix Block: protect your organization from fake captcha attacks

Curious about the technical details? Read our technical blog on ClickFix Block.

In recent months, a dangerous but convincing social engineering technique has started spreading: the fake captcha or clickfix attack. Cybercriminals create a page that looks like a legitimate captcha challenge, something we all trust. But instead of asking you to click on images, the page instructs you to run a command on your computer.

What makes the attack so effective is the use of the clipboard. Without the user realizing it, the website automatically places a malicious command in the clipboard. When the user pastes and executes it, the attacker gains control of the device, installs malware, or steals passwords.

At Eye Security, we decided not just to analyze this threat, but to build a solution. That’s why we created ClickFix Block, a free browser extension that prevents this attack before it can succeed.

Why attackers succeed

This attack works because it exploits what users already know and trust. Captchas are everywhere on the internet and usually associated with security. That is what makes this technique so effective.

• Anyone can fall for it: the interface looks familiar and pressures users to act quickly
• The damage is immediate: from stolen credentials to complete workstation takeover
• It is spreading quickly: attackers adopt this technique because it bypasses traditional awareness

Organizations cannot rely solely on employees to recognize phishing attempts. In this case, there are no suspicious emails or red flags. The manipulation happens directly in the browser, at the moment users are least likely to question it.

How ClickFix Block helps

ClickFix Block was designed with one purpose: break the attack before it has a chance to succeed.

▶️ Watch the demo below to see ClickFix Block stop a fake captcha attack in real time.

With ClickFix Block:

• Malicious commands are blocked from entering the clipboard
• Users receive a clear warning when a page attempts to use this technique
• The attack chain is interrupted automatically, without user action

Normal copy and paste continues to work as usual. The extension only monitors suspicious clipboard activity initiated by websites.

How to use it

Installation

1. Go to the Chrome Web Store.

2. Click Add to Chrome.

3. Confirm by clicking Add extension.

4. Once the extension is installed, the ClickFix Block icon will appear in the top right corner of your browser.

If you don’t see it immediately, click the puzzle piece icon and pin it for quick access.

Using the extension

By clicking on the extension icon, you can:

• Enable or disable ClickFix Block globally
• Turn Block all mode on or off (for maximum protection, this prevents any site from injecting content into the clipboard)
• Add the current website to the allowlist if you trust it

Any changes you make are applied immediately when the page refreshes.

Prevention and defense working together

ClickFix Block is a strong example of how small, targeted measures can disrupt an entire attack technique. By stopping clipboard manipulation in the browser, it removes the critical step that fake captchas rely on.

At the same time, we know that cyber threats evolve constantly. That is why we apply the principle of assume breach: even if attackers bypass one layer of defense, there must always be monitoring and response in place to contain the threat. Fake captchas are only one of many techniques, and new ones will inevitably follow.

This is why prevention and detection go hand in hand. ClickFix Block lowers the chance of compromise, while ongoing monitoring and response ensure resilience against the attacks of tomorrow.

Free for everyone

We are releasing ClickFix Block free of charge as part of our mission to keep Europe safe. It is available for everyone, not just our customers, because the risk does not stop at organizational boundaries.

👉 Bottom line: with ClickFix Block you can neutralize an entire attack technique with a single extension and protect your organization from one of the fastest-growing browser-based threats.