iClicker Fake Captcha Installs Malware

This message is intended for units using the iClicker service. Targeted communication will be sent on Monday, May 5, to instructors and students known to have logged into the affected site.

Summary

A threat actor placed a fake CAPTCHA on the iClicker landing page, iClicker.com between April 12-16. Users of iClicker that logged into the website during that time may have been tricked into executing malicious code on their device by following the instructions in the CAPTCHA. This code downloads and executes malware.

Users of iClicker that logged in through the mobile app or did not encounter the CAPTCHA are not at risk.

This was not a U-M data breach. The iClicker website and service are a third-party vendor used by some U-M units.

Description

The malware is distributed through fake CAPTCHAs with extra instructions. Clicking the “I’m not a robot” button copies a PowerShell script to the clipboard and displays so-called “verification steps” that may include:

  • Press Win + R (this opens the Run dialog box);
  • Press CTRL + V (this pastes the line from the clipboard into the text field);
  • Press Enter (this executes the code).

The PowerShell script will retrieve an executable for malware which will give the threat actor access to that device.

Affected Instructors and Students

Users of iClicker are at risk if they logged into the iClicker site and followed the directions in the fake CAPTCHA from April 12-16.

Users who logged in with the iClicker app and those that did not encounter the CAPTCHA are not at risk.

Threats

Following the directions in the fake CAPTCHA could allow threat actors full access to the device.

Detection

Below is an example of a fake CAPTCHA. When interacting with this compromised content, users may see the following:

How We Protect U-M

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Information for Users

Be cautious of suspicious CAPTCHA pages. If you encounter a CAPTCHA page that seems out of place or unusual, it is best to avoid interacting with it.

Remember:

  • Legitimate CAPTCHA pages are usually found on websites that require user verification, such as login or account creation pages.
  • Be cautious of CAPTCHA pages that appear on unexpected websites or in applications.
  • Always check the website's URL to ensure it is legitimate.
  • Keep your software and operating system up to date to patch vulnerabilities that could be exploited by malware.

If you visit a site where you are presented with the fake CAPTCHA:

  • Take a screenshot of the CAPTCHA and report the page you were visiting to [email protected].
  • If you got to the site by clicking a link in an email, also forward the email to [email protected].

If you encountered the fake CAPTCHA

Note: The following steps only need to be taken if you followed the Windows key cut/paste CAPTCHA instructions.  Simply visiting a site where you saw the CAPTCHA or clicking the “Verify you're human checkbox” will not install the malware. 

  • As a precaution, change any passwords you entered when you responded to the fake CAPTCHA. To do so, use a different device that did not install the malware.
  • Is it a UM-owned device? Turn it off, report the incident, and get a loaner from your unit IT department. Devices with CrowdStrike Falcon installed should be protected, but it is still important to report the incident and take precautions if you followed the directions in the fake CAPTCHA.
  • Is it a personally-owned device? Consider the Virus Scanning & Removal service offered by ITS Tech Repair.
  • Individuals who have fallen victim to one of these scams, which resulted in loss of money, should contact the University of Michigan Police Department at 734-763-1131 or text 377911.

If you believe that your U-M computer has been infected or compromised by viruses or malware, please contact IT support: For MiWorkspace Computers, contact the ITS Service Center, and for other university-owned computers contact your unit IT department.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & ScamsSecure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.

Sincerely,

ITS Information Assurance