Opera browser thinks it has the solution to stopping ClickFix malware attacks
The browser company is targeting a growing source of malicious links with its new Paste Protect feature
Opera has started to block ClickFix-style attacks in the browser by blocking malicious clipboard copy-and-paste techniques.
ClickFix pairs social engineering with a malicious code injection attack by fooling users into clicking a link, such as a fake CAPTCHA or similar familiar popup, starting a string of events that could compromise the device.
Opera cited a report by Huntress showing that ClickFix-style social engineering attacks make up 53% of all malware loader activity worldwide, underlining the scale of the threats faced by web users.
Last year, Proofpoint warned that state-sponsored hackers were turning to ClickFix techniques to target governments in particular.
To help battle that, Opera has introduced Paste Protect, a browser-native feature designed to prevent such attacks by stopping malicious code from being copied onto the clipboard, and notifying users when that happens.
"This means that if you’re accessing a website that is trying to copy something potentially harmful into your clipboard (or luring you into doing so), Opera will detect it, prevent it, and let you know about it," the company said in a blog post.
Opera said it is the first major browser to add this level of protection, though Microsoft Defender does notify users of ClickFix landing pages and there are extensions that do a similar job.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
"Opera had already been protecting users from paste hijacking for half a decade — it made sense to expand that protection to address one of the most increasingly serious online threats," said Mohamed Salah, Senior Director of Product at Opera.
"Paste Protect gives your browser a robust early warning system that can alert less experienced users while still enabling more control for more tech-savvy users or developers."
The rise of ClickFix
ClickFix attacks work by fooling a user into clicking a box on a malicious popup, often by pretending to be a CAPTCHA or a "verify you're a human" box. That lets the dodgy website copy to the clipboard and open another window.
"When this prompt appears, the website has already 'copied' something to your clipboard, and now it instructs you to open the Windows Run dialog box (Win+R), then use 'Ctrl + V' to paste the malicious code, and then click 'OK'," the blog post noted. "This would execute the code and compromise your device, and the data on it."
Instead, Opera's Paste Protect examines the content being copied, and if concerned, blocks the code from being copied to the clipboard and notifies the user. They can then close the window without interacting.
"ClickFix attacks succeed because they turn the user into the weapon," said Pawel Kurzelewski, Head of Security at Opera.
"The clipboard is the last point before a malicious command is run, so that's where we built our defense. With Paste Protect, we're stopping these attacks at the exact moment they would normally succeed."
The Paste Protect system does mean that the Opera browser is scanning everything copied to the clipboard for potential threats or harmful commands. When those are spotted, the system displays a red warning icon.
Websites can be individually approved to circumvent these warnings if safe, and users can still check to see if a mistake has been made.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
'Always on' culture is pushing Brits to breaking point – and nearly half are ready to quitNews Growing performance expectations and poor work-life balance are forcing some workers to consider career moves
-
Kyndryl expands sovereignty services with Microsoft cloud dealNews As organizations face increasingly complex regulatory frameworks, the company wants to provide practical, scalable architectures
-
‘Hacking groups have the transport network firmly in their sights’: Network Rail is battling a torrent of cyber threatsNews FoI requests have revealed that the rail operator is under increasing attack, as cyber criminals set their sights on the transport sector
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
‘The build pipeline is becoming the new frontline’: Axios npm compromise highlights growing software supply chain risks, experts warnNews Cyber criminals exploited a hijacked maintainer account to compromise one of the world's most widely used JavaScript libraries
-
'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attackNews The attack on medical tech company Stryker has severely impacted operations globally
-
Thousands of Asus routers are being used to fuel a massive cyber crime spreeNews Black Lotus Labs has spotted a massive botnet of Asus routers built by malware that uses a common peer networking tool