In a troubling development for the automotive industry, over 100 car dealership websites were compromised by malicious “ClickFix” code due to a sophisticated supply chain attack. The attacker targeted a third-party domain, affecting LES Automotive, a privately held streaming service provider based in Tolland, Connecticut, that caters primarily to the automotive industry. Consequently, all websites utilizing services from LES Automotive unwittingly served a compromised ClickFix webpage to their visitors. This incident marks the second significant supply chain attack to hit car dealerships in less than a year, but with unique mechanisms that exploit web-based interaction.
Step 1: The Mechanism of Infiltration
The attackers deployed the code by infiltrating LES Automotive’s infrastructure, thus enabling the spread across all client websites. The ClickFix code was ingeniously embedded to resemble benign errors, prompting users to fix an apparent problem or to complete a reCAPTCHA challenge ostensibly to verify their humanity. Once the user complied, a malicious command was surreptitiously copied to their clipboard, fooling them into executing it via the Windows Run prompt. This action gave the attacker control over the target system, allowing them to deploy a second-stage payload known as SectopRAT malware.
This method is not entirely new. In October 2024, domain registrar GoDaddy issued warnings about a variant of malware disguised as a browser update, named ClickFix, which managed to infect more than 6,000 WordPress sites within a single day. Such malware is adept at bypassing administrative scrutiny due to its seemingly legitimate appearance and functional design, but carries hidden, embedded malicious scripts that prompt end users to install fake browser updates.
Step 2: The Broader Implications
The implications of these attacks are far-reaching, especially considering that car dealership websites are high-traffic portals critical to operations and customer interactions. Security researcher Randy McEoin pointed out that these breaches not only compromise the dealerships’ security but also significantly affect their reputation and customer trust. The true ingenuity of the attackers was in exploiting trusted third-party providers. By attacking LES Automotive, they effectively gained access to all its clients in one fell swoop.
The issue is compounded further by the attack’s seamless integration into normal user behavior. Users confronted with what appears to be standard browser prompts are unlikely to suspect malicious intent, thus following the malicious instructions. Moreover, the adaptability of ClickFix makes it a continuing threat. In March of this year, Microsoft also warned against a ClickFix campaign known as Storm-1865, which impersonated well-known entities in the hospitality sector, attempting to deliver malicious payloads under the guise of customer service communications.
Leveraging Awareness and Future Preparedness
In a concerning turn of events for the automotive sector, more than 100 car dealership websites fell victim to malicious “ClickFix” code following a sophisticated supply chain attack. The cyber attacker specifically targeted a third-party domain linked to LES Automotive, a privately held streaming service provider based in Tolland, Connecticut, which primarily serves the automotive industry. As a result, all websites utilizing LES Automotive services inadvertently delivered a compromised ClickFix webpage to their visitors. This breach represents the second major supply chain attack affecting car dealerships in under a year, employing unique mechanisms that take advantage of web-based interactions. The attack not only highlights the vulnerability of dealership websites but also underscores the broader risks inherent in relying on third-party vendors for essential online services. Moving forward, it serves as a stark reminder for the automotive industry to strengthen their cybersecurity measures and closely scrutinize the security protocols of their partners.