Full Report
The website of iClicker, a popular student engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA prompt to trick students and instructors into installing malware on their devices. [...]
Analysis Summary
# Incident Report: iClicker Landing Page Compromise via Malicious CAPTCHA
## Executive Summary
The iClicker landing page (`iClicker.com`) was compromised by an unknown third party who injected a false CAPTCHA prompt between April 12th and April 16th. This attack successfully redirected users to download malware, likely targeting college students and instructors to potentially compromise institutional networks. iClicker subsequently resolved the vulnerability, assured that core services were unaffected, and advised users who interacted with the fake CAPTCHA to change their passwords.
## Incident Details
- **Discovery Date:** After April 16th (Implied by bulletin date/range)
- **Incident Date:** April 12 - April 16
- **Affected Organization:** iClicker (MacMillan)
- **Sector:** Education Technology
- **Geography:** Not specified (Website based, likely global reach to users)
## Timeline of Events
### Initial Access
- **Date/Time:** April 12 - April 16
- **Vector:** Website Defacement/Content Injection on the public landing page.
- **Details:** An unrelated third party placed a false CAPTCHA on the iClicker landing page before users logged in. Users clicking this CAPTCHA were led to execute malicious code, likely resulting in malware installation.
### Lateral Movement
- Not explicitly detailed, but the potential goal was credential theft targeting college networks.
### Data Exfiltration/Impact
- **Impact:** Encouraging users to install malware. Potential risk of credential theft, leading to subsequent attacks on connected university systems. iClicker confirmed **no** iClicker data, apps, or core operations were impacted.
### Detection & Response
- **Detection:** Unknown, but the issue was publicly acknowledged by iClicker on May 6th in a security bulletin (though initially hidden by a `noindex` tag).
- **Response actions taken:** The vulnerability on the landing page was resolved. iClicker advised affected users (those who clicked the fake CAPTCHA) to run security software, immediately change their iClicker passwords, and change all stored passwords on their devices.
## Attack Methodology
- **Initial Access:** Website Content Injection/Defacement (planting the fake CAPTCHA).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Utilizing a common phishing/social engineering lure (CAPTCHA verification).
- **Credential Access:** Likely achieved through subsequent malware execution post-CAPTCHA click, or by direct credential harvesting if the fake CAPTCHA led to a credential prompt.
- **Discovery:** Not applicable (Attack was active exploitation).
- **Lateral Movement:** Potential goal was to use stolen credentials to move to connected college networks.
- **Collection:** Goal was assumed to be gathering user credentials given the target audience (students/faculty).
- **Exfiltration:** Not specified.
- **Impact:** Installation of malware or theft of user login credentials.
## Impact Assessment
- **Financial:** Not specified.
- **Data Breach:** Credentials of faculty/students interacting with the link were potentially exposed or compromised via malware. No direct iClicker organizational data was breached.
- **Operational:** No impact on iClicker apps or operations confirmed.
- **Reputational:** Negative impact due to the incident and slow/hidden disclosure (use of `noindex` tag).
## Indicators of Compromise
- **Network indicators:** Unknown/Not provided.
- **File indicators:** Malware execution environment implied. Users were advised to run security software.
- **Behavioral indicators:** Interacting with and clicking a fake CAPTCHA prompt on the iClicker landing page between specific dates.
## Response Actions
- **Containment measures:** The malicious third-party content (the false CAPTCHA) was removed from the landing page.
- **Eradication steps:** The underlying vulnerability allowing the injection was resolved.
- **Recovery actions:** Advised users to run security scans and reset passwords for iClicker and all other services accessing credentials stored on their devices.
## Lessons Learned
- The attack leveraged social engineering combined with a third-party injection on the public website, mimicking common phishing techniques.
- The organization published a security bulletin but obscured it using a `noindex` tag, severely limiting immediate public awareness and response from users.
## Recommendations
- Ensure robust web application firewalls and content security policies are in place to prevent unauthorized code injection on public-facing web assets.
- Immediately review and remove any `noindex` tags from critical security communications to ensure rapid dissemination of incident information.
- Enhance user education regarding login procedures, warning specifically against unrecognized prompts like fake CAPTCHAs appearing before the actual login interface.
- Implement comprehensive password management tools (e.g., BitWarden, 1Password) for users to minimize cross-site credential reuse risks.