SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

100 Car Dealerships Hit by Supply Chain Attack

The websites of over 100 auto dealerships were found serving malicious ClickFix code in a supply chain compromise.
Car dealership supply chain attack

The websites of over 100 car dealerships were found serving malicious ClickFix code after a third-party domain was compromised in a supply chain attack.

As part of the compromise, a threat actor infected LES Automotive, a shared video service unique to dealerships, so that websites using the service would serve a ClickFix webpage to their visitors.

A ClickFix attack relies on malicious code on a webpage to display a prompt to the user, asking them to fix an error or perform a reCAPTCHA challenge, to prove they are human.

When the user clicks on the prompt, a malicious command is copied to the clipboard, and the user is also instructed to perform keyboard combinations that open the Windows Run prompt, paste the copied command into the prompt, and execute it.

The social engineering technique has been used for a couple of years, but started gaining popularity among cybercriminals and APTs last year, with a surge in adoption observed over the past several months.

In October 2024, HHS warned of Russian-speaking cybercriminals using the ClickFix technique in their attacks since at least April 2024.

ClickFix has been used to spread information stealers and other types of malware to users across various sectors. Recently, Microsoft warned of a widespread campaign targeting the hospitality industry.

As security researcher Randy McEoin warned, visitors of the websites of more than 100 auto dealerships using LES Automotive were targeted in a ClickFix campaign distributing the SectopRAT malware.

Advertisement. Scroll to continue reading.

The attack was using the fake reCAPTCHA variation of ClickFix, relying on PowerShell commands to deploy payloads on the victim’s machine, and ultimately infect them with the remote access trojan.

The JavaScript code designed to copy the malicious code to the clipboard, McEoin discovered, contained at least one comment in Russian. Users, he notes, would often be served a benign version of the script, which suggests that the injection was likely performed dynamically.

Related: Popular GitHub Action Targeted in Supply Chain Attack

Related: How Social Engineering Sparked a Billion-Dollar Supply Chain Cryptocurrency Heist

Related: Cyberhaven Chrome Extension Hack Linked to Widening Supply Chain Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.