Club Benefits
Instead of waiting for you to download a bad app or a malicious file, hackers have spent the last two years tricking unsuspecting users into infecting their own computers with malware. Known as ClickFix, this tactic is now widely used by both hackers and scammers but with its new macOS Tahoe 26.4 update, Apple has implemented a way to warn potential victims before it’s too late.
Although it was first used to target Windows devices, this social engineering technique was later tweaked to go after Macs too. Just like with other attacks, it starts with lure and in this case, that’s a fix to a common computer problem. Whether it be a microphone that isn’t working before a video call or a connection error that’s slowing down your internet, everyone wants a quick fix to their problems and that’s exactly what the hackers leveraging this technique gave them, albeit with a twist.
On the fake websites used in ClickFix attacks, a pop-up tells you there is a problem with your computer. A 'Fix It' button magically appears, promising an instant solution. Clicking on it copies a command to your clipboard and from there, you just have to paste it into Terminal (or a Command Prompt on Windows), hit Enter and then everything should be fixed. Right? Well that couldn’t be further from the truth.
Article continues belowFortunately though, Apple has added a new warning to macOS which appears when you try to paste potentially harmful commands in Terminal. To see if this really works, I decided to give it a try on one of the best MacBooks. Here’s what happened.
Putting Apple’s new warning to the test
Since I’m currently testing out the MacBook Pro 16-inch M5 Pro we recently reviewed, I wanted to see if I could get one of Apple’s new warning messages to appear for myself. It took a bit of extra work but I finally managed to see one for myself.
To do so, I first took a look at a blog post from Sophos on how ClickFix attacks have evolved over the past year. From fake sites using OpenAI’s ChatGPT Atlas browser as a lure to a malvertising campaign that leveraged sponsored links tied to ChatGPT searches to impersonating legitimate Apple sites, hackers continue to come up with new ways to trick Mac users into infecting their own computers with malware.
Since I wanted to try out Apple’s new ClickFix warning for myself, I went to the middle of that blog post where Sophos has a table with all of the malicious domains used in one of these campaigns. I tried putting a few of them into my browser’s address bar but fortunately, they have all since been taken down. What was good news for potential victims was bad news for me since I wanted to find a malicious command to copy and try to paste into Terminal.
From there, I had to get a bit creative and employed the help of Google Gemini. I asked the search giant’s chatbot about whether or not it could come up with a command I could use to trick macOS Tahoe into showing its new warning. It came up with this suspicious looking but harmless string: echo "SGVsbG8gV29ybGQ=" | base64 --decode.
Much to my surprise, when I copied that string and tried to paste it into Terminal on my Mac, the warning message instantly appeared, saying:“Possible malware, Paste blocked. Your Mac has not been harmed. Scammers often encourage pasting text into Terminal to try and harm your Mac or compromise your privacy. These instructions are commonly offered via websites, chat agents, apps, files, or a phone call.”
Even though the string Gemini came up with was harmless, I still clicked “Don’t Paste” anyway out of an abundance of caution. And with that, my little test was complete.
While this new warning message will likely keep Mac users safe from falling for ClickFix attacks, oddly enough, Apple doesn’t even mention it in its own macOS Tahoe 26.4 release notes. Still, it’s good to know it’s there keeping you safe from infecting your own computer with Mac malware in the background.
How to stay safe from ClickFix attacks
Although Apple will now warn you when you try to copy something from your browser and paste it into Terminal, you won’t see this new warning message unless you’re running the latest version of macOS. As such, just like with phishing attacks, you still want to know how to spot a ClickFix attack so that you can avoid them entirely.
Since hackers often try to instill a sense of urgency to get potential victims to do things they ordinarily wouldn’t like copying something and pasting it into a Terminal window or a Command Prompt, you want to slow down and think things over first. You want to be extra cautious whenever a website or app asks you to do something you normally wouldn’t.
At the same time, you should also avoid running code or commands that you’ve copied from a website, email or a message. Since most people won’t be able to make heads or tails of what that line of code or command actually does, it’s best to just avoid copying and pasting anything that doesn’t come from a trusted source. If you do have to enter commands, it’s always better to write them out yourself than to just copy and paste them.
While your Mac comes with built-in security protections in the form of Gatekeeper and XProtect, you can never be too careful. That’s why I recommend running the best Mac antivirus software alongside Apple’s own security software. That way, you’re protected with an extra layer of security.
Likewise, you also want to take some extra time and make sure you’re acquainted with all of the latest malware campaigns and tactics currently being used by hackers and other cybercriminals. Given how rapidly ClickFix attacks have evolved and how successful they’ve been in just two short years, I don’t see them going away anytime soon. That’s why it’s up to you to practice good cyber hygiene and to always be careful where you click or in this case, what you copy and paste.
At least for those running macOS 26.4, Apple has finally provided a 'stop-and-think' moment. It’s a silent guardian that acts as a final safety net if you slip up and try to paste a command that isn’t what it seems."
Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.
More from Tom's Guide
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
