BinHex.Ninja Security - ClickFix Attack Protection

🛡️ Protect Yourself from Social Engineering Attacks

BinHex.Ninja Security is a browser extension designed to detect and block ClickFix attacks — a dangerous social engineering technique where malicious websites trick users into copying and executing harmful commands on their computers.

What Are ClickFix Attacks?

ClickFix attacks disguise themselves as legitimate verification pages (like CAPTCHA or security checks) and prompt users to:

• Open Terminal, PowerShell, or the Windows Run dialog
• Paste a "verification code" that's actually malicious
• Unknowingly install malware, keyloggers, or ransomware

These attacks bypass traditional antivirus software because you're the one executing the command — making detection incredibly difficult.

Real-World Examples

Figure 1: ClickFix Variant

Figure 2: ClickFix Variant

Figure 3: ClickFix Variant

Figure 4: BinHex.Ninja Security Extension notifying user of a ClickFix Attack

Figure 5: BinHex.Ninja Security Extension successfully blocking a ClickFix Clipboard Attack

🎬 See It In Action

Watch how BinHex.Ninja Security protects you in real-time against ClickFix attacks.

✨ Key Features

🔍 Real-Time Detection

• Scans web pages for malicious PowerShell, CMD, and Bash commands
• Monitors clipboard activity to block dangerous content from being copied
• Detects obfuscated and encoded attack patterns
• Comprehensive scanning of page content, iframes, Shadow DOM, and hidden elements

🚫 Multi-Layer Protection

• Page Scanning: Identifies malicious content before you interact with it
• Clipboard Protection: Prevents harmful commands from reaching your clipboard
• Visual Warnings: Clear, full-page alerts explain the threat and how to stay safe
• Detailed Context: Shows exactly what was detected and why it's dangerous

⚙️ Customizable Privacy

Choose how you want to help improve threat detection:

• 🔒 Disabled (Fully Offline): All protection works locally, zero data collection
• 📊 Anonymous Reporting: Share threat data (URL, OS, command patterns, detection context) to help improve detection
• 🌐 Full Reporting: Anonymous data + IP address for geographical threat intelligence

All telemetry is end-to-end encrypted and can be disabled anytime.

🎯 User-Friendly

• Smart Whitelisting: Built-in whitelist for 50+ trusted domains (GitHub, Google, Microsoft, Stack Overflow, etc.)
• Custom Whitelist: Add your own trusted domains with one click
• URL-Specific Trust: Trust individual URLs or local files
• Toggle Control: Enable/disable protection per domain without removing from whitelist
• Light & Dark Mode: Matches your system preference automatically
• Zero Performance Impact: Works silently in the background

🔐 Privacy & Security

Data Protection

• Encrypted Communication: All telemetry encrypted with ECDH + AES-256-GCM
• No Tracking: We never collect personal data or sell your information
• Local-First: All core protection features work entirely offline
• User Control: Three privacy levels (Disabled, Anonymous, Full)

What We Collect (Optional - When Telemetry Enabled)

Only when threats are detected:

• URL of the malicious page
• Detected malicious command pattern (sanitized, max 500 characters)
• Surrounding context (max 300 characters) for accuracy improvement
• Operating system type
• Detection reason and category

Full Mode Only (Opt-in):

• IP address for geographical threat intelligence
• User agent string

What We NEVER Collect

• ❌ Personal information (name, email, address)
• ❌ Passwords or authentication credentials
• ❌ Financial information
• ❌ General browsing history (only threat URLs)
• ❌ Health information
• ❌ Personal communications
• ❌ Keystroke logging or mouse tracking
• ❌ Safe/non-threat page content

🚀 Actively Developed

This extension is continuously improved based on real-world threats and user feedback. Recent updates include:

✅ Enhanced detection with detailed match context
✅ Improved iframe and Shadow DOM scanning
✅ Theme support (light/dark mode)
✅ Per-domain protection toggles
✅ Minimal permission footprint (v1.0.1)

Future updates may include:

• Protection against additional browser-based initial access techniques
• Enhanced obfuscation detection
• Community-driven threat intelligence
• Support for emerging attack patterns

📖 How It Works

1. Install the Extension — Protection starts immediately
2. Choose Your Privacy Level — During onboarding or in settings
3. Browse Safely — The extension works silently in the background
4. Get Alerted — If a threat is detected, you'll see a full-page warning with details
5. Take Action — Close the page, whitelist if false positive, or continue at your own risk

🆘 Need Help?

• Report Issues: Found a false positive or bug? Let us know at [email protected]
• Request Features: Your input shapes future development
• Stay Updated: New attack patterns are added regularly

⚠️ Important Note

This extension protects against ClickFix and similar social engineering attacks. It does not replace traditional antivirus software or safe browsing practices. Always:

• ✅ Keep your operating system updated
• ✅ Use strong, unique passwords
• ✅ Enable two-factor authentication
• ✅ Be skeptical of unusual "verification" requests
• ✅ Never paste commands you don't understand

🔒 Permissions Explained

To provide comprehensive protection, the extension requires minimal permissions:

✅ storage Permission

Why: To save your whitelist, trusted sites, and privacy settings locally on your device
Privacy: All settings stored only on your device, never transmitted to our servers

✅ <all_urls> Host Permissions

Why: To inject protection on all websites and detect ClickFix attacks anywhere they appear
How: Enables content scripts to scan pages and communicate with the extension
Security: ClickFix attacks can appear on any website, including compromised legitimate sites

We removed unnecessary permissions in v1.0.1:

• ❌ Removed scripting (not used)
• ❌ Removed activeTab (redundant)

We only request permissions necessary for protection. Your privacy matters.

📋 Privacy Policy

Effective Date: October 18, 2025
Last Updated: October 20, 2025

Overview

BinHex.Ninja Security ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how our browser extension collects, uses, and safeguards information when you use our extension.

Information We Collect

The information collected depends on your chosen privacy level:

🔒 Disabled Mode (Default)

• Data Collected: None
• How It Works: All threat detection occurs locally on your device. No data is transmitted to our servers.
• Your Privacy: Complete privacy. We have no way to track your browsing activity.

📊 Anonymous Reporting Mode

If you opt-in to help improve threat detection, we collect only when threats are detected:

What We Collect:

• Threat URL: The web address where a ClickFix attack was detected
• Operating System: Your OS type (Windows, macOS, Linux) to identify targeted attacks
• Detection Details:
• Malicious command pattern (max 500 characters, sanitized)
• Context around the match (max 300 characters)
• Detection category and reason
• Position and length information
• Timestamp: When the threat was detected

We DO NOT collect:

• ❌ Personal identification information
• ❌ General browsing history
• ❌ Cookies or tracking data
• ❌ Any information about safe/non-threat pages
• ❌ IP address (in anonymous mode)

🌐 Full Reporting Mode

In addition to Anonymous Reporting data, we collect:

• IP Address: To enable geographical threat intelligence
• User Agent: Browser and OS version for compatibility analysis

Why: To build threat intelligence maps showing where ClickFix campaigns are most active globally and which platforms are being targeted.

How We Use Information

Primary Purpose: Data collected (only if you opt-in) is used to:

1. Identify and fix false positives - Help us distinguish legitimate commands from malicious ones
2. Build threat intelligence - Visualize where ClickFix campaigns are active globally
3. Improve detection algorithms - Identify new attack patterns and obfuscation techniques
4. Security research - Understand attacker tactics and improve defenses

Why Anonymized Data Matters: All data is anonymized at collection. We have no way to identify individual users, link reports to specific people, or trace activity back to you.

Data Storage and Security

• Encryption: All data in transit is encrypted using ECDH + AES-256-GCM (military-grade)
• Storage: Threat data is stored on secure servers with industry-standard encryption
• Retention: Anonymous threat data is retained for security research purposes
• Anonymization: All data is anonymized; we cannot link reports back to individual users
• No Third Parties: Data is never shared with third-party services

Your Whitelist and Settings

• Local Storage Only: Your whitelist, trusted sites, and privacy settings are stored only on your device using the browser's local storage API
• Never Transmitted: We never access or transmit your whitelist or trusted site preferences
• Your Control: You can clear this data at any time by removing the extension

Third-Party Services

• No Third Parties: We do not share data with third-party analytics, advertising, or tracking services
• No Ads: The extension contains no advertisements
• No Affiliate Links: We do not earn commissions from any links or recommendations

Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or for legal/regulatory reasons. Updates will be posted on this page with a new "Last Updated" date.

Your Rights

Important Note: Since all data is fully anonymized at collection, we cannot provide access to or delete your specific data—we have no way to identify which reports came from you. This is a feature, not a limitation, as it ensures maximum privacy.

However, you can: - Opt-Out: Change your privacy level to "Disabled" at any time in extension settings to stop all data collection immediately - Local Control: Clear your local whitelist and settings by removing the extension - Transparency: Review our privacy practices and data handling procedures at any time

Data Controller

For GDPR purposes, the data controller is:

BinHex.Ninja
Email: [email protected]

Children's Privacy

The extension is not intended for users under 13 years of age. We do not knowingly collect information from children.

Contact Us

If you have questions about this Privacy Policy or data practices:

• Email: [email protected]
• Website: https://binhex.ninja/extension

📜 Terms of Service

By using BinHex.Ninja Security extension, you agree to:

• ✅ Use the extension for personal protection purposes
• ✅ Not attempt to reverse-engineer, modify, or distribute the extension
• ✅ Understand that the extension provides additional protection but does not guarantee 100% security
• ✅ Not hold us liable for damages resulting from ClickFix attacks or false negatives
• ✅ Report any bugs or false positives to help improve the extension

The extension is provided "AS IS" without warranties of any kind.

Store Declarations

Chrome Web Store - Data Collection

• ✅ Website content - Limited excerpts of detected malicious code (when telemetry enabled)
• ✅ Browsing history - URLs of pages with detected threats only (when telemetry enabled)
• ✅ Location - IP address in full telemetry mode only (opt-in)

All data collection is:

• Optional (user-controlled)
• Security-related only
• Encrypted end-to-end
• Not used for ads/tracking
• Can be fully disabled

Firefox Add-ons - Data Practices

• Data collected: Threat detection data (optional, encrypted)
• User control: Three privacy levels (Disabled, Anonymous, Full)
• No tracking: No personal information or general browsing data
• Transparency: Open about what, why, and how data is collected

Built with ❤️ by BinHex.Ninja

Stay Safe. Browse Confidently.