The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. According to a security alert from the University of Michigan's Safe Computing team, the iClicker site was hacked between April 12 and April 16, 2025, to display a fake CAPTCHA that instructed users to press "I'm not a robot" to verify themselves. Users who accessed iClicker.com while the site was hacked and followed the fake CAPTCHA instructions should immediately change their iClicker password, and if the command was executed, change all passwords stored on their computer to a unique one for every site. However, BleepingComputer later found that iClicker published a security bulletin on its website on May 6 but included a <meta name='robots' content='noindex, nofollow' /> tag in the page's HTML, preventing the document from being indexed by search engines and thus making it more difficult to find information on the incident. While the ClickFix attack is no longer running on iClicker's site, a person on Reddit launched the command on Any.Run, revealing the PowerShell payload that gets executed. The PowerShell command used in the iClicker attack was heavily obfuscated, but when executed, it would connect to a remote server at [.]14:8080 to retrieve another PowerShell script that would be executed. ClickFix attacks have become widespread social engineering attacks that have been used in numerous malware campaigns, including those pretending to be a Cloudflare CAPTCHA, Google Meet, and web browser errors. "We recently resolved an incident affecting the iClicker landing page (iClicker.com). Importantly, no iClicker data, apps, or operations were impacted and the identified vulnerability on the iClicker landing page has been resolved," reads iClicker's security bulletin. It's important to note that users who accessed iClicker through the mobile app or did not encounter the fake CAPTCHA are not at risk from the attack. "What happened: an unrelated third party placed a false Captcha on our iClicker landing page before users logged into iClicker on our website. However, when visitors clicked on the verification prompt, a PowerShell script was silently copied into the Windows clipboard in what is known as a "ClickFix" social engineering attack. The CAPTCHA would then instruct users to open the Windows Run dialog (Win + R), paste the PowerShell script (Ctrl + V) into it, and execute it by pressing Enter to verify themselves. iClicker is a subsidiary of Macmillan and is a digital classroom tool that allows instructors to take attendance, ask live questions or surveys, and track student engagement. As the attack targeted college students and instructors, the goal could have been to steal credentials to conduct attacks on college networks. From past campaigns, the attack likely distributed an infostealer, which can steal cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 11 May 2025 15:20:02 +0000