Macs under threat from thousands of hacked sites spreading malware — how to stay safe

MacBook Pro 2021 (16-inch) on a patio table
(Image credit: Tom's Guide)

Verifying your identity online to access certain sites has become increasingly common in recent years. However, hackers have devised a clever way to weaponize Google’s reCAPTCHA and other verification methods to infect vulnerable PCs and now Macs with malware.

As reported by Cyber Security News, security researchers at BadByte have identified more than 2,800 hacked websites that are being used in a new ClickFix campaign designed to infect the best MacBooks with the dangerous password-stealing Atomic Stealer malware.

Once installed on a Mac, this malware steals credentials stored in macOS’ Keychain along with cookies, passwords and autofill data from popular browsers like Chrome and Firefox. However, it can also steal sensitive files from an infected device as well as digital currency stored in more than 50 crypto wallets and extensions.

Here’s everything you need to know about this new Mac malware campaign along with some tips and tricks to help you avoid falling for it and other cyberattacks targeting Apple users.

Not your typical reCAPTCHA

The ClickFix tactic that’s currently being employed by more and more cybercriminals in their attacks is particularly concerning due to the fact that it’s able to bypass the best antivirus software and many other security tools. The reason for this is that victims end up doing most of the heavy lifting as the hackers behind this and similar campaigns use social engineering to force them to act.

We’ve all seen reCAPTCHA and other verification methods to ensure we’re actually human appear in a pop-up when visiting certain sites. In fact, picking out all the pictures of a bicycle or sliding a piece over to complete a picture has become almost second nature for many of us. This new ClearFix campaign uses this to its advantage.

A fake reCAPTCHA verification pop-up used in ClearFix attacks

(Image credit: BadByte/Tom's Guide)

It starts with a verification pop-up like the one pictured above which shows up when potential victims visit certain sites. However, when they click “I’m not a robot” malicious code is copied to their Mac’s clipboard and they are presented with instructions to complete the verification process that you won’t see anywhere else.

This pop-up instructs potential victims to open Terminal on their Macs and then paste the malicious code that was copied to their device’s clipboard without their knowledge. From there, all it takes is a press of the Return or Enter key and then, the Atomic Stealer malware is downloaded and installed on their computer.

While previous ClickFix campaigns have gone after Windows users, this one specifically targets Mac users and it won’t even run if one of the hacked sites detects that someone is using Microsoft’s operating system or Linux.

It’s worth noting that Atomic Stealer is distributed via a Malware-as-a-Service model where hackers pay its creators up to $3,000 per month to use this malware in their attacks. Due to this, we’re more likely to see other campaigns using this malware with similar or even widely different infection methods.

How to stay safe from Mac malware

A padlock resting next to the Apple logo on the lid of a gold-colored Apple laptop.

(Image credit: robert coolen/Shutterstock)

If you know what to look out for, this particular campaign is very easy to avoid. When you see a verification pop-up like the one shown above, close the website immediately and whatever you do, don’t interact with it or follow its instructions.

I’m sure most of Tom's Guide readers are well aware of the reasons why this kind of pop-up and being asked to open a Terminal or Command Prompt window on their computer is a major red flag. However, not everyone is as tech savvy which is why I ask that you share what you’ve learned with both older and younger family members, friends and colleagues to help keep them safe, too.

As for staying safe from Mac malware, your Mac comes with built-in security software in the form of Apple’s own xProtect. However, for additional protection, it’s also worth signing up for one of the best Mac antivirus software solutions.

If you want to be extra protected though, you might also want to consider one of the best identity theft protection services since they can help you recover your identity or any funds lost to a malware attack. However, you have to sign up for one of them before an attack occurs as there isn’t much these companies can do for you once the damage is already done.

The reason a ClearFix attack like this one is able to trick loads of people into falling for it is through the use of social engineering. The hackers behind this and similar campaigns use your preexisting knowledge and online habits to get you to do something you otherwise normally wouldn't have. They might also use a sense of urgency to get you to visit one of the infected sites used in this campaign.

If you stick to known and trusted sites, avoid letting your emotions get the best of you and practice good cyber hygiene though, you should be able to avoid falling victim to this campaign and others like it. That way, your Mac can stay virus free and your sensitive personal and financial data won’t fall into the wrong hands.

More from Tom's Guide

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.