Over 100 Car Dealership Websites Compromised in Supply Chain Attack Spreading ClickFix Malware
A supply chain attack has compromised the websites of more than 100 car dealerships, injecting malicious ClickFix code through a third-party service. The breach targeted LES Automotive, a shared video platform used by dealerships, allowing the attacker to serve harmful ClickFix webpages to visitors.
ClickFix is a deceptive social engineering technique that presents users with fake prompts—such as error fixes or reCAPTCHA challenges—tricking them into copying and executing malicious commands via the Windows Run prompt. Though this method has existed for years, its use by cybercriminals and advanced persistent threats (APTs) has surged recently.
In October 2024, the U.S. Department of Health and Human Services (HHS) warned of Russian-speaking cybercriminals leveraging ClickFix since at least April 2024. The technique has been widely used to distribute malware, including information stealers, across various industries.
Security researcher Randy McEoin uncovered that visitors of affected dealership websites were being targeted with a ClickFix campaign delivering SectopRAT malware. This specific attack disguised itself as a fake reCAPTCHA, using PowerShell commands to install a remote access trojan (RAT) on victims' machines. Additionally, McEoin noted that the malicious JavaScript code contained at least one comment written in Russian.
To evade detection, users were often served a benign version of the script, suggesting the malware injection was likely dynamic. The widespread impact of this attack underscores the growing risks posed by supply chain compromises and the evolving tactics of cybercriminals.
