ClickFix Scam Tricks Millions of iClicker Users

A fake CAPTCHA prompt has reportedly tricked millions of college students and instructors into installing malware on their devices. The scam, known as ClickFix, targeted the popular student engagement platform iClicker, which is used by instructors to take attendance, ask live questions or surveys, and track student engagement.

The ClickFix scam is a social engineering tactic that appears as an authentic message to manipulate users into executing malicious scripts. The platform iClicker is utilized by 5,000 instructors and 7 million students across multiple colleges, including the University of Michigan, the University of Florida, and several universities in California.

According to the University of Michigan’s Safe Computing team, the iClicker scam displayed a fake CAPTCHA that instructed users to press “I’m not a robot” to verify themselves. If the fake CAPTCHA was pressed and the subsequent instructions were followed, the device became infected with the malware.

In response to the incident, iClicker stated, “We recently resolved an incident affecting the iClicker landing page (iClicker.com). Importantly, no iClicker data, appsAPPS--, or operations were impacted and the identified vulnerability on the iClicker landing page has been resolved.”

iClicker further explained, “What happened: an unrelated third party placed a false CAPTCHA on our iClicker landing page before users logged into iClicker on our website. This third party was hoping to get users to click on the false CAPTCHA similar to what we unfortunately experience quite often in phishing emails these days.”

Out of an abundance of caution, iClicker recommends that any faculty or student who encountered and clicked on the false CAPTCHA from April 12th to April 16th on their website run security software to ensure their devices remain protected.

This incident highlights the growing sophistication of cyber threats targeting educational institutionsEDUC--. The use of fake CAPTCHAs to distribute malware is a concerning trend, as it exploits the trust users place in verification processes. The impact of such scams can be severe, potentially compromising personal information and institutional data.

Educational institutions must remain vigilant and implement robust cybersecurity measures to protect their students and staff from such threats. Regular training on recognizing and avoiding phishing attempts, along with the use of advanced security software, can help mitigate the risks associated with these scams.