Gizmodo Readers Hit with ClickFix Malware Prompts After Account Compromise

Veteran tech website Gizmodo confirmed a compromise on Saturday after readers reported ClickFix malware prompts appearing on article pages. Users posted screenshots of fake CAPTCHA windows appearing on Gizmodo's site. The attack aims to fool users into running malicious code via their terminals.

According to Proofpoint threat researcher Tommy M, the attack was seemingly launched by an affiliate of ErrTraffic, a ClickFix-as-a-service program that allows attackers to deliver whichever malware they choose. He said the ClickFix prompt was tailored to each user's OS. The Windows version attempted to install the NetSupport RAT malware, which abuses the legitimate NetSupport Manager tool to gain access to affected systems.

Darktrace says NetSupport RAT can also be used to exfiltrate files from affected systems and to load additional payloads, such as other malware strains and ransomware. The macOS version had a payload configured but appeared to be broken, requiring a password to open a ZIP archive.

Gizmodo said the attacks were being displayed only "briefly," and the timeline of user reports, which span just a few hours, suggests that was indeed the case. "We identified and resolved a security incident on our site earlier today," the outlet said. "A compromised account was exploited to inject a malicious script, briefly exposing users to scam content. The site was taken offline immediately, the script removed, and the account secured. We're back up. If you notice anything unusual, reach out."

The Register confirmed that the website is no longer serving ClickFix prompts as of Monday. This incident highlights the growing trend of ClickFix attacks, where compromised websites serve fake CAPTCHAs to trick users into installing remote access trojans. The use of a legitimate tool like NetSupport Manager for malicious purposes makes detection challenging for security software.