Full Report
Infosec buffs say Windows users could have been infected with a nasty trojan, while Mac users got off lightly
Analysis Summary
# Incident Report: Gizmodo Website Compromise and ClickFix Malware Distribution
## Executive Summary
The tech news outlet Gizmodo experienced a security breach where a compromised administrative account was used to inject malicious scripts into the website. These scripts delivered "ClickFix" social engineering prompts to visitors, attempting to trick them into executing PowerShell commands to install the NetSupport RAT (Remote Access Trojan). While Windows users were the primary targets for infection, the payload for macOS users was reportedly non-functional due to an archive password requirement.
## Incident Details
- **Discovery Date:** Monday, June 22, 2026 (Publicly acknowledged)
- **Incident Date:** Saturday, June 20, 2026
- **Affected Organization:** Gizmodo
- **Sector:** Media / Technology News
- **Geography:** International (Web-based)
## Timeline of Events
### Initial Access
- **Date/Time:** Saturday, June 20, 2026
- **Vector:** Account Takeover (ATO)
- **Details:** Attackers gained unauthorized access to a privileged internal account belonging to a Gizmodo staff member/system.
### Lateral Movement
- **Details:** Using the compromised account, the attackers accessed the site's Content Management System (CMS) or backend infrastructure to inject malicious JavaScript.
### Data Exfiltration/Impact
- **Details:** No internal data exfiltration from Gizmodo was reported; the primary impact was the conversion of the website into a distribution vector for the NetSupport RAT targeting site visitors.
### Detection & Response
- **Detection:** Readers identified fake CAPTCHA prompts and shared screenshots on social media (e.g., Bluesky).
- **Response:** Gizmodo took the site offline, identified the malicious script, removed it, and secured the compromised account.
## Attack Methodology
- **Initial Access:** Compromised account (Likely via credential stuffing or phishing).
- **Persistence:** Not applicable to the website (removed quickly), but on victim machines, NetSupport RAT provides persistent remote access.
- **Privilege Escalation:** Not applicable on site; Windows payload uses social engineering to run elevated PowerShell commands.
- **Defense Evasion:** Use of "ClickFix" (social engineering) to bypass browser security by tricking the user into manually executing code. OS-tailored prompts to increase legitimacy.
- **Credential Access:** Not reported for the initial Gizmodo breach.
- **Discovery:** NetSupport RAT allows attackers to perform system reconnaissance on infected machines.
- **Lateral Movement:** NetSupport RAT can be used to move laterally within a victim's network.
- **Collection:** NetSupport RAT includes file exfiltration capabilities.
- **Exfiltration:** Standard C2 channels for the RAT.
- **Impact:** Potential for ransomware delivery or full system takeover of site visitors.
## Impact Assessment
- **Financial:** Potential financial loss for individual readers infected with the RAT; loss of ad revenue for Gizmodo during downtime.
- **Data Breach:** Risk of data theft from the machines of users who executed the malicious script.
- **Operational:** Temporary shutdown of Gizmodo’s web services.
- **Reputational:** High; a tech-focused publication unwittingly distributed malware to its security-conscious audience.
## Indicators of Compromise
- **Network indicators:**
- Traffic to ErrTraffic infrastructure (affiliate-run).
- Unexplained connections to known NetSupport Manager C2 IP addresses.
- **File indicators:**
- Fake CAPTCHA pop-up overlays.
- Malicious ZIP archives (macOS variant).
- **Behavioral indicators:**
- Prompts asking users to "Press Windows Key + R, Ctrl + V, and Enter" (Standard ClickFix behavior).
## Response Actions
- **Containment:** Website taken offline immediately upon discovery.
- **Eradication:** Removal of the malicious JavaScript injection from the site’s source code.
- **Recovery:** Account credentials for the compromised user were reset and secured; site brought back online.
## Lessons Learned
- **Account Security:** The reliance on a single compromised account to inject site-wide scripts highlights the need for Multi-Factor Authentication (MFA) on all administrative access.
- **Script Monitoring:** Automated integrity monitoring could have detected the unauthorized code injection faster than user reports.
- **Third-Party Risk:** The use of "ClickFix-as-a-Service" (ErrTraffic) demonstrates how low-skill attackers can leverage sophisticated delivery mechanisms.
## Recommendations
- **Enforce MFA:** Mandatory hardware-based or application-based MFA for all CMS and backend administrative accounts.
- **Content Security Policy (CSP):** Implement strict CSPs to prevent unauthorized scripts from executing or communicating with unknown domains.
- **Endpoint Protection:** Users should be educated never to paste and execute terminal commands provided by browser pop-ups.
- **Audit Logs:** Regularly review administrative access logs for anomalous login locations or behaviors.