The websites of over 100 car dealerships were found serving malicious ClickFix code after a third-party domain was compromised in a supply chain attack.
As part of the compromise, a threat actor infected LES Automotive, a shared video service unique to dealerships, so that websites using the service would serve a ClickFix webpage to their visitors.
A ClickFix attack relies on malicious code on a webpage to display a prompt to the user, asking them to fix an error or perform a reCAPTCHA challenge, to prove they are human.
When the user clicks on the prompt, a malicious command is copied to the clipboard, and the user is also instructed to perform keyboard combinations that open the Windows Run prompt, paste the copied command into the prompt, and execute it.
The social engineering technique has been used for a couple of years, but started gaining popularity among cybercriminals and APTs last year, with a surge in adoption observed over the past several months.
In October 2024, HHS warned of Russian-speaking cybercriminals using the ClickFix technique in their attacks since at least April 2024.
ClickFix has been used to spread information stealers and other types of malware to users across various sectors. Recently, Microsoft warned of a widespread campaign targeting the hospitality industry.
As security researcher Randy McEoin warned, visitors of the websites of more than 100 auto dealerships using LES Automotive were targeted in a ClickFix campaign distributing the SectopRAT malware.
The attack was using the fake reCAPTCHA variation of ClickFix, relying on PowerShell commands to deploy payloads on the victim’s machine, and ultimately infect them with the remote access trojan.
The JavaScript code designed to copy the malicious code to the clipboard, McEoin discovered, contained at least one comment in Russian. Users, he notes, would often be served a benign version of the script, which suggests that the injection was likely performed dynamically.
Related: Popular GitHub Action Targeted in Supply Chain Attack
Related: How Social Engineering Sparked a Billion-Dollar Supply Chain Cryptocurrency Heist
Related: Cyberhaven Chrome Extension Hack Linked to Widening Supply Chain Campaign