The official website of iClicker, a platform used for student engagement and classroom polling, was recently compromised in a ClickFix-style social engineering attack. Continue reading this Cybersecurity Threat Advisory to learn how to keep your systems safe.
What is the threat?
Attackers launched a ClickFix-style social engineering campaign by compromising the official iClicker website—a trusted classroom engagement platform. They injected malicious JavaScript that redirected visitors to a fake CAPTCHA page resembling services like Cloudflare. The site prompted users to download a “verification” file containing malware.
Once downloaded, the file typically deploys stealer malware such as Lumma or RedLine or a remote access trojan (RAT), allowing attackers to steal credentials, session cookies, and system data or even gain persistent device access. Since the attack was delivered through a legitimate domain and mimics familiar browser behavior, it bypasses traditional security measures and fools users into compliance.
This technique is especially concerning because it evades email filters and antivirus software by initiating attacks within the browser on a trusted site. Targeting iClicker allowed threat actors to reach a broad, often less secure user base, mainly students on personal or shared devices.
Why is it noteworthy?
This incident is noteworthy because it highlights a dangerous evolution in social engineering techniques. Rather than relying on phishing emails or malicious downloads alone, ClickFix leverages compromised legitimate websites to deliver malware posing as routine web interactions. Hundreds of educational institutions use iClicker, so this compromise could affect thousands of users, including students logging in from personal devices with limited security controls. The attack demonstrates how threat actors target high-trust platforms with broad user bases to maximize reach and evade traditional detection.
What is the exposure or risk?
This ClickFix attack poses a significant risk to students, educators, and academic institutions relying on iClicker. Individuals who visited the compromised website and interacted with the fake CAPTCHA prompt are at high risk of device-level malware infection. However, the risk extends beyond iClicker users. Threat actors can adapt the ClickFix technique to compromise any high-traffic, trusted website. Organizations must remain vigilant, as attackers can exploit any familiar or seemingly routine user interaction, like CAPTCHA challenges or browser updates, to deliver malicious payloads under the guise of legitimacy.
What are the recommendations?
Barracuda strongly recommends that organizations, especially education institutes, to take these additional steps to defend their machines:
- Inform students and faculty members about the iClicker compromise, and advise them not to download files prompted by CAPTCHA or browser alerts.
- Encourage all users who visited the iClicker website recently to run a full malware scan and review system behavior for signs of compromise.
- Educate users about verifying browser updates and CAPTCHAs only from trusted sources, not through unexpected downloads.
- Ensure CMS software, plugins, and libraries are up to date to prevent similar compromises for all organizations hosting web platforms.
- Enable alerts for unusual logins, especially from users who may have interacted with the fake CAPTCHA, and force password resets if needed.
Reference
For more in-depth information about the threat, please visit the following link:
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
