A newly uncovered cyberthreat is turning familiar online experiences into a delivery system for malware. Security researchers report that attackers have built convincing replicas of BBC news pages, complete with copied articles and authentic branding, before funnelling visitors toward fraudulent Cloudflare verification screens. The tactic belongs to a technique known as ClickFix, which persuades users to run malicious commands themselves.
The case shows how modern attacks lean less on breaking code and more on manipulating people. Instead of forcing their way past digital defences, criminals now focus on persuading users to take the harmful step on their behalf. Trust in well-known services provides the disguise; a routine-looking prompt supplies the trigger.
The sequence unfolds with deceptive simplicity. A user clicks what looks like an ordinary ad or search result and lands on a fake BBC site that appears legitimate at first glance. After a short time, the page redirects to what seems to be a Cloudflare Turnstile check. The design is near perfect: the “Verify you are human” box, the corporate logos, even Ray ID footers – all carefully reproduced to reduce suspicion.
Cybercriminals count on routine habits to do the rest. Whereas players exploring the online UK poker scene make deliberate choices to enter cash games, tournaments, or fast-fold tables with rewards clearly laid out, these attacks depend on the opposite: rushed clicks and blind acceptance. The fake verification already loads a malicious command into the clipboard. Users are told to open the Run box with Windows + R, paste the text, and press Enter. Believing they are clearing a security check, they are in fact installing malware.
The effectiveness lies in psychology. People feel they are solving a problem – getting past a gate to reach information – when in reality they are executing the attacker’s instructions. Security tools often miss such actions because they originate from the user, not from a system exploit.
The scale of this trend is stark. According to ESET’s H1 2025 Threat Report, detections of ClickFix surged by 517% between late 2024 and mid-2025, accounting for roughly 8% of all blocked attacks. That makes it the second most common method after phishing. Analysts say the growth reflects how quickly people respond to prompts online – the same split-second decision-making that drives activity in safe spaces like UK online poker becomes a point of weakness when manipulated by hostile actors.
Variants underline how adaptable the method has become. Beyond copying the BBC, attackers have posed as Microsoft, Chrome, and even industry-specific software providers. Researcher mr.d0x has identified another strain called FileFix, where users are told to paste a command into the Windows File Explorer bar. The principle remains identical: guide the victim into performing the dangerous action themselves.
Security teams stress that prevention depends on awareness. Boston College IT advises users never to paste commands into system tools on the instruction of a webpage. Administrators can disable the Run dialog through Group Policy, while monitoring software can flag suspicious PowerShell activity. Experts remind users that genuine Cloudflare checks never ask for system-level input; any page that does so should be considered fraudulent.
Industry actors have begun assigning formal designations to these campaigns. In March this year, Microsoft also warned about a phishing campaign known as Storm-1865, which used the ClickFix method to impersonate Booking.com and deliver credential-stealing malware. Security firms such as ESET and Proofpoint have released updated detection rules and run awareness campaigns aimed at breaking the cycle of compliance that makes the tactic effective.
The discovery of an operation that pairs fake BBC stories with forged Cloudflare checks shows the lengths criminals now go to in order to appear credible. Combined with the surge in cases and the rapid development of new variants, it illustrates the challenge for defenders. The weakness lies not in software but in trust: users can be persuaded more easily than systems can be broken. That reality ensures ClickFix will remain a central concern for security professionals, and a reminder to treat every unexpected prompt with caution.