Digital classroom tool iClicker was compromised between April 12 and April 16th by a ClickFix attack, which uses a fake CAPTCHA to trick victims into installing malware. This particular hack attempted to fool students and instructors into pressing “I’m not a robot” in order to verify themselves. However, instead of proving they were human, they actually copied a PowerShell script onto their Windows clipboard.
The convincing-looking CAPTCHA requests victims to open a Windows Run dialog (Win + R) and then use Ctrl + V to unknowingly paste the PowerShell script into it. The user then executes the malware by pressing Enter to “verify” themselves. The PowerShell script varied depending on the type of visitor, so it was difficult to determine what type of malware was installed, though ClickFix attacks often install infostealers.
ClickFix attacks have recently become more common, and are social engineering attacks used in malware campaigns like the Cloudflare CAPTCHA attacks. They often spread infostealers onto victims' devices, which are designed to steal data like cookies, credentials, passwords, credit cards, and browsing history. An infosealer may also steal cryptocurrency wallets, private keys and text files that contain sensitive information. This data is returned to the attacker who either sells it on the dark web or uses this stolen info in future attacks.
The ClickFix attack is no longer running on iClicker's website, though the PowerShell payload can still be launched by running a command using Any.Run. iClicker is owned by Macmillan, who has yet to comment on the breach. It is used by instructors to take attendance and track student engagement, and used by students to ask live questions or to take surveys.
Colleges and universities across the United States use the software including the University of Michigan and the University of Florida; over 5,000 instructors and 7 million students are currently using this tool.
How to stay safe from malware
According to the iClicker security bulletin, the company recommends that any faculty member or student who may have clicked on a false CAPTCHA during the April 12-16th time period, should run a full scan using the best antivirus security software to make sure their devices remain protected.
Users who accessed iClicker while the site was compromised and followed the fraudulent CAPTCHA instructions should also change their iClicker password, and especially if the command was executed, change all the other passwords stored on their computer to unique and strong ones. You can always use one of the best password managers to help with this.
It's worth keeping in mind that anyone who accessed iClicker using the mobile app or who did not encounter the fake CAPTCHA is not at risk. However, it's certainly still worth being aware of this scam and others like along with how to schedule scans with your antivirus software which should absolutely be kept up to date too.
More from Tom's Guide
- Mac users once skipped antivirus software — here’s why that’s no longer a good idea
- FBI issues warning over routers — stop using these now
- Macs under threat from thousands of hacked sites spreading malware — how to stay safe
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
