Suspected Russian threat actors have exploited the ClickFix attack technique to distribute the Atomic macOS Stealer, or AMOS, malware on macOS systems, according to The Hacker News.
Malicious websites spoofing U.S. telecommunications firm Spectrum have been displaying instructions luring visitors into accomplishing a CAPTCHA verification check for a connection security review, which would subsequently trigger an error prompting the appearance of an "Alternative Verification" button, a report from CloudSEK revealed. Clicking such a button leads not only to command copying on the users' clipboard but also instructions ordering the execution of a PowerShell command that eventually results in the deployment of the AMOS malware. Such findings follow a SlashNext report detailing another ClickFix-style attack campaign involving phony Turnstile pages. "Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they've been conditioned to click through these as quickly as possible. Attackers exploit this 'verification fatigue,' knowing that many users will comply with whatever steps are presented if it looks routine," said SlashNext researcher Daniel Kelley.
Malicious websites spoofing U.S. telecommunications firm Spectrum have been displaying instructions luring visitors into accomplishing a CAPTCHA verification check for a connection security review, which would subsequently trigger an error prompting the appearance of an "Alternative Verification" button, a report from CloudSEK revealed. Clicking such a button leads not only to command copying on the users' clipboard but also instructions ordering the execution of a PowerShell command that eventually results in the deployment of the AMOS malware. Such findings follow a SlashNext report detailing another ClickFix-style attack campaign involving phony Turnstile pages. "Modern internet users are inundated with spam checks, CAPTCHAs, and security prompts on websites, and they've been conditioned to click through these as quickly as possible. Attackers exploit this 'verification fatigue,' knowing that many users will comply with whatever steps are presented if it looks routine," said SlashNext researcher Daniel Kelley.
