The web site of iClicker, a well-liked scholar engagement platform, was compromised in a ClickFix assault that used a pretend CAPTCHA immediate to trick college students and instructors into putting in malware on their units.
iClicker is a subsidiary of Macmillan and is a digital classroom software that permits instructors to take attendance, ask dwell questions or surveys, and observe scholar engagement. It’s broadly utilized by 5,000 instructors and seven million college students at schools and universities throughout america, together with the College of Michigan, the College of Florida, and universities in California.
Based on a safety alert from the College of Michigan’s Secure Computing staff, the iClicker website was hacked between April 12 and April 16, 2025, to show a pretend CAPTCHA that instructed customers to press “I am not a robotic” to confirm themselves.
Nonetheless, when guests clicked on the verification immediate, a PowerShell script was silently copied into the Home windows clipboard in what is called a “ClickFix” social engineering assault.
The CAPTCHA would then instruct customers to open the Home windows Run dialog (Win + R), paste the PowerShell script (Ctrl + V) into it, and execute it by urgent Enter to confirm themselves.
Whereas the ClickFix assault is not operating on iClicker’s website, an individual on Reddit launched the command on Any.Run, revealing the PowerShell payload that will get executed.
The PowerShell command used within the iClicker assault was closely obfuscated, however when executed, it might hook up with a distant server at http://67.217.228[.]14:8080 to retrieve one other PowerShell script that might be executed.
Supply: BleepingComputer
Sadly, it’s not identified what malware was in the end put in, because the retrieved PowerShell script was completely different relying on the kind of customer.
For focused guests, it might ship a script that downloads malware onto the pc. The College of Michigan says that the malware allowed the risk actor to have full entry to the contaminated machine.
For individuals who weren’t focused, resembling malware evaluation sandboxes, the script would as a substitute obtain and run the respectable Microsoft Visible C++ Redistributable, as proven under.
iwr https://obtain.microsoft.com/obtain/9/3/f/93fcf1e7-e6a4-478b-96e7-d4b285925b00/vc_redist.x64.exe -out "$env:TMP/vc_redist.x64.exe"; & "$env:TMP/vc_redist.x64.exe"ClickFix assaults have develop into widespread social engineering assaults which have been utilized in quite a few malware campaigns, together with these pretending to be a Cloudflare CAPTCHA, Google Meet, and net browser errors.
From previous campaigns, the assault doubtless distributed an infostealer, which may steal cookies, credentials, passwords, bank cards, and looking historical past from Google Chrome, Microsoft Edge, Mozilla Firefox, and different Chromium browsers.
One of these malware can even steal cryptocurrency wallets, non-public keys, and textual content recordsdata prone to comprise delicate data, resembling these named seed.txt, go.txt, ledger.txt, trezor.txt, metamask.txt, bitcoin.txt, phrases, pockets.txt, *.txt, and *.pdf.
This knowledge is collected into an archive and despatched again to the attacker, the place they will use the knowledge in additional assaults or promote it on cybercrime marketplaces.
The stolen knowledge may also be used to conduct widescale breaches that result in ransomware assaults. Because the assault focused faculty college students and instructors, the aim might have been to steal credentials to conduct assaults on faculty networks.
BleepingComputer contacted MacMillan a number of instances with questions concerning this assault this week, however didn’t reply to our questions.
Nonetheless, BleepingComputer later discovered that iClicker printed a safety bulletin on its web site on Might 6 however included a <meta title="robots" content material="noindex, nofollow" /> tag within the web page’s HTML, stopping the doc from being listed by search engines like google and thus making it harder to seek out data on the incident.
Supply: BleepingComputer
“We lately resolved an incident affecting the iClicker touchdown web page (iClicker.com). Importantly, no iClicker knowledge, apps, or operations had been impacted and the recognized vulnerability on the iClicker touchdown web page has been resolved,” reads iClicker’s safety bulletin.
“What occurred: an unrelated third get together positioned a false Captcha on our iClicker touchdown web page earlier than customers logged into iClicker on our web site. This third get together hoped to get customers to click on on the false captcha much like what we sadly expertise very often in phishing emails today.”
“Out of an abundance of warning, we advocate that any college or scholar who encountered and clicked on the false Captcha from April 12- April 16 on our web site run safety software program to make sure their units stay protected.”
Customers who accessed iClicker.com whereas the location was hacked and adopted the pretend CAPTCHA directions ought to instantly change their iClicker password, and if the command was executed, change all passwords saved on their pc to a singular one for each website.
To assist with this, it’s instructed that you simply use a password supervisor like BitWarden or 1Password.
It is vital to notice that customers who accessed iClicker via the cellular app or didn’t encounter the pretend CAPTCHA should not in danger from the assault.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and the best way to defend in opposition to them.
