IOC Alert: ClickFix Payload Delivery via Compromised Shopify Template Domain

📖 Overview

A domain impersonating Shopify’s verification portal, thesmartboater.com, has been identified as part of a ClickFix payload delivery campaign. The site mimics a standard “security verification” page while hosting injected scripts that redirect users or deploy secondary payloads. This infrastructure is typical of ClickFix campaigns, which exploit compromised or expired WordPress and Shopify-themed domains for malware delivery and phishing redirections. Confidence is assessed at 100%.

📌 Key Details

🔎 URLScan Result

• Verdict Score: 0
• Page Title: Checking if you are human
• Screenshot: View Screenshot
• Result: Full Scan Report

🌐 Domain & Certificate Info

• DNS A Record: 94[.]156[.]232[.]243
• MX Record: 0 thesmartboater[.]com
• Recent Certificates:
  • C=US, O=Let's Encrypt, CN=R12 (valid: 2025-09-15 → 2025-12-14)
  • C=US, O=Let's Encrypt, CN=E7 (valid: 2025-08-27 → 2025-11-25)

📡 Related Intelligence

• Certificate Transparency: crt.sh Report
• VirusTotal: VT Domain Report
• URLScan Domain Overview: urlscan.io Domain Page
• DNS Analytics: dnslytics.com Report

🛡️ Defensive Guidance

• Block all access to thesmartboater[.]com at perimeter and endpoint levels.
• Inspect web proxy and DNS logs for prior user activity related to this domain.
• Monitor for redirects or network beacons tied to the ClickFix campaign family, often using .php or .js payload stagers hosted under e-commerce lookalike sites.
• Employ heuristic browser-based protection to detect spoofed CAPTCHA or verification overlays impersonating Cloudflare or Shopify.

⚠️ This IOC demonstrates ongoing ClickFix payload distribution tactics, leveraging expired Shopify domains and deceptive human verification screens to compromise unsuspecting users through malicious script injection and redirect-based infection chains.