Skip to content

Releases: Subnet345LLC/FixClick

Release list

FixClick

Choose a tag to compare

@hackdefendr hackdefendr released this 08 Jul 23:29

A cross-browser Manifest V3 extension for Chrome, Edge, Brave, Opera and other Chromium browsers, plus Firefox, that detects two credential/token-theft attack families in the page, in real time, and warns the user:

  • ClickFix — fake "human verification" / error pages that trick you into pasting and running a command in the Windows Run dialog, PowerShell, or a terminal. Detected via clipboard interception + on-page lure heuristics.
  • Ghost phishing — Microsoft credential/token theft that appears to run on Microsoft's own infrastructure:
    • AiTM — a page rendering Microsoft's cloud sign-in form (the loginfmt username field) from a non-Microsoft origin (reverse-proxy kits such as Evilginx / EvilProxy). Keying on loginfmt avoids flagging legitimate on-prem AD FS pages and "Sign in with Microsoft" buttons, which don't render that field.
    • Device-code — the genuine device-authorization page, where an attacker relays a code for you to authorize their device.
      Consent — an OAuth consent screen requesting high-risk Graph scopes and/or a non-Microsoft redirect.

Heads Up!

  • For ALL Chrome and Chromium based browsers use the chrome version.
  • For ALL Firefox based browsers use the Firefox version.