π¦ What Is ClearFake?
If you've been following YourScam's scam feed, you'll have noticed one tag appearing again and again: ClearFake. It's one of the most active malware distribution campaigns we track, and it's responsible for a significant chunk of the 444 critical-severity reports in our database.
ClearFake works by injecting fake browser update prompts into compromised websites. When you visit an affected page, you see what looks like a legitimate Chrome, Firefox, or Edge update notification. Click "Update" and you've just installed malware.
π ClearFake in Our Data
Across YourScam's 1,637 reports, the malware landscape breaks down like this:
| Malware Tag | Reports | What It Does |
|---|---|---|
| ClearFake | 15+ | Fake browser updates β info-stealer download |
| Mozi | 27 | IoT botnet targeting routers and DVRs |
| Mirai | 9 | IoT botnet for DDoS attacks |
| ConnectWise | 3 | Remote access tool abuse |
ClearFake specifically targets everyday users β people browsing the web on desktop computers. Mozi and Mirai, by contrast, target internet-connected devices like routers and security cameras.
π¬ How a ClearFake Attack Works
- Compromise β Attackers inject malicious JavaScript into a legitimate website (often through vulnerable WordPress plugins or stolen FTP credentials).
- Detection β When you visit the page, the script checks your browser type and operating system.
- Overlay β A full-screen overlay appears showing a fake browser update prompt that matches your actual browser.
- Download β Clicking "Update" downloads a .exe or .dmg file containing an info-stealer (commonly Lumma, Raccoon, or RedLine).
- Infection β The malware harvests saved passwords, browser cookies, crypto wallets, and banking credentials.
π― Why It's Effective
- Browser update prompts are something people expect to see β we've been trained to click "Update" when prompted.
- The overlays are pixel-perfect replicas of real browser update screens.
- The compromised website itself may be completely legitimate β a local business, a blog, a news site.
- Anti-virus may not catch it immediately because the download URL changes frequently.
π‘οΈ How to Protect Yourself
- Real browser updates never come from websites β Chrome updates through Settings β About Google Chrome. Firefox through Settings β General β Firefox Updates. Edge through Settings β About Microsoft Edge.
- If you see an update prompt on a webpage, close the tab β Don't click anything on the overlay. Just close it.
- Keep your browser set to auto-update β This way you know it's always current without needing to click anything.
- Use an ad blocker β Many ad blockers also block malicious script injection, adding a layer of protection.
- Run a scan if concerned β If you think you may have clicked a fake update, run a full scan with Malwarebytes (free) or Windows Defender immediately.
Already clicked a fake update? Disconnect from the internet, run a full malware scan, change all passwords from a different device, and monitor your bank accounts closely for the next 30 days.
Data sourced from YourScam.org's live intelligence pipeline, powered by URLhaus/abuse.ch threat feeds.