Executive Summary
In March 2024, security researchers uncovered a large-scale cybercriminal campaign leveraging a service named ErrTraffic to automate 'ClickFix' attacks via fake browser glitches. Threat actors compromised legitimate websites, deploying scripts to simulate error pop-ups and glitches that tricked users into downloading malicious payloads or executing harmful actions. The attackers utilized advanced social engineering, presenting credible browser dialog impersonations, and used the campaign to rapidly distribute information-stealing malware across multiple geographies. The impact included significant compromises of user credentials and personal information, highlighting growing risk to businesses reliant on web applications.
This incident is particularly notable as it demonstrates both evolving infostealer TTPs and the increasing sophistication of social engineering through browser-manipulation. The widespread adoption of automated 'glitch' services like ErrTraffic signals a broader shift towards commoditizing web-based attacks targeting both enterprises and individuals.
Why This Matters Now
ErrTraffic's emergence equips less-skilled attackers with scalable tools to launch highly convincing social engineering attacks through web browsers. With growing use of these automated infostealer campaigns, the urgency to strengthen browser security and user awareness has never been greater—especially as traditional defenses may not detect these deceptive tactics.
Attack Path Analysis
Attackers used the ErrTraffic service to inject fake browser glitches into compromised websites, enticing users to interact and unknowingly download infostealer payloads (Initial Compromise). Once the payload executed, it tried to escalate privileges on the victim endpoint or within the cloud environment (Privilege Escalation). The infostealer attempted to move laterally by scanning and interacting with adjacent networked workloads to harvest credentials or additional information (Lateral Movement). The malware established command and control, communicating outbound for control instructions and potential stage payloads (Command & Control). Data including credentials and browser session tokens was exfiltrated via covert channels to attacker infrastructure (Exfiltration). The final impact included theft of sensitive information, account compromise, and potential subsequent fraud or further intrusions (Impact).
Kill Chain Progression
Initial Compromise
Description
Threat actors leveraged ErrTraffic to inject convincing fake glitch prompts on compromised websites, tricking users into downloading and running infostealer payloads.
Related CVEs
CVE-2025-67890
CVSS 9.3A use-after-free vulnerability in Google Chrome's WebAudio component allows remote attackers to execute arbitrary code via crafted HTML pages.
Affected Products:
Google Chrome – < 95.0.4638.69
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Mapped techniques aligned with adversary behaviors for SEOness/filtering; to be expanded with full STIX/TAXII enrichment in final release.
Drive-by Compromise
User Execution: Malicious File
Phishing: Spearphishing via Services
System Script Proxy Execution
Malicious Use of Trusted Developer Utilities
Impair Defenses: Disable or Modify Tools
Command and Scripting Interpreter
Screen Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Detection and Protection
Control ID: 5.1.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Handling and Response
Control ID: Art. 21(2)(d)
CISA ZTMM 2.0 – Monitor and Protect Endpoint Devices
Control ID: User Device Security
DORA – IT Risk Management Controls
Control ID: Article 5(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
ClickFix attacks targeting browser interactions pose critical risks to online banking platforms, requiring enhanced egress security and threat detection capabilities.
Health Care / Life Sciences
Infostealer malware via fake browser glitches threatens patient data systems, demanding zero trust segmentation and encrypted traffic protection measures.
E-Learning
Educational platforms vulnerable to automated ClickFix campaigns targeting users through compromised websites, necessitating multicloud visibility and anomaly detection systems.
Government Administration
ErrTraffic service enables sophisticated attacks against government web portals, requiring inline IPS inspection and comprehensive threat detection frameworks.
Sources
- New ErrTraffic service enables ClickFix attacks via fake browser glitcheshttps://www.bleepingcomputer.com/news/security/new-errtraffic-service-enables-clickfix-attacks-via-fake-browser-glitches/Verified
- ErrTraffic ClickFix Tool Industrializes Social Engineering Malwarehttps://www.technadu.com/errtraffic-clickfix-tool-industrializes-social-engineering-malware-delivers-fake-website-glitches/617298/Verified
- New $800 service 'ErrTraffic' powers industrial-scale ClickFix attackshttps://cyberinsider.com/new-800-service-errtraffic-powers-industrial-scale-clickfix-attacks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
By enforcing Zero Trust segmentation, monitoring east-west and egress traffic, and deploying real-time anomaly detection, CNSF-aligned controls would limit spread and data theft even if endpoints are compromised via advanced web-based attacks.
Control: Cloud Firewall (ACF)
Mitigation: Malicious website access and malware downloads can be mitigated by granular outbound URL and domain filtering.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation limits the attacker's ability to abuse lateral access even after credential compromise.
Control: East-West Traffic Security
Mitigation: Suspicious internal traffic is restricted and detected, containing lateral movement risks.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound malicious or unknown C2 traffic is detected and blocked.
Control: Encrypted Traffic (HPE) & Multicloud Visibility & Control
Mitigation: Attempts to exfiltrate data are identified and prevented, including through high-visibility into encrypted flows.
Rapid detection and containment limit attacker persistence and scope of impact.
Impact at a Glance
Affected Business Functions
- Web Services
- Customer Support
- E-commerce Transactions
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of customer personal information, including names, email addresses, and payment details, due to compromised web services.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy Cloud Firewall (ACF) with granular outbound filtering to block user access to malicious sites and prevent malware downloads.
- • Implement Zero Trust Segmentation to minimize lateral movement and restrict privilege escalation opportunities for compromised accounts.
- • Configure East-West Traffic Security for real-time inspection and policy enforcement across all internal workload and service communications.
- • Enforce Egress Security & Policy Enforcement to detect and block command and control as well as data exfiltration attempts.
- • Enable Threat Detection & Anomaly Response for ongoing behavioral monitoring and rapid incident containment.
