Ransomware gangs once thrived on infected email attachments and bogus invoices, but security-savvy users and hardened mail gateways have weakened those tactics. Attackers are now focusing on a subtler trick that targets the small checkbox labeled “I’m not a robot” that most people click without thinking.
A widespread campaign known as MacReaper has compromised more than 2,800 legitimate websites and redirects visitors to an infection process designed specifically for Apple computers. The operation relies on visual trust signals, including a convincing fake of Google’s reCAPTCHA, along with hidden clipboard code that ends with the installation of Atomic macOS Stealer malware, a data-harvesting infostealer distributed through Telegram.
A woman working on her laptop (Kurt “CyberGuy” Knutsson)
How does the attack unfold?
When a Mac user visits one of the compromised websites, they don’t see the page they were expecting. Instead, the site displays a full-screen imitation of Google’s familiar reCAPTCHA box.
This fake reCAPTCHA appears harmless, simply asking the user to click “I’m not a robot.” However, when the user clicks the box, a hidden command is silently copied to their clipboard. Immediately afterward, the page displays a friendly message, complete with familiar macOS keyboard shortcut visuals, explicitly instructing the user to open Terminal and paste what they’ve just copied. If the user follows these instructions, the command downloads and runs the malicious file known as Atomic macOS Stealer (AMOS).
This trick is specifically targeted at Mac users. The website checks the visitor’s operating system and only activates the attack if it detects macOS. For Windows or Linux users, the site behaves normally. Researchers have dubbed this infection method “ClickFix,” referencing the single click that initiates the attack chain.
At the center of this campaign is AMOS, a sophisticated piece of malware that has become notorious in cybercrime circles. AMOS is available for rent on Telegram, with some versions costing attackers up to $3,000 per month. Once installed, AMOS can steal a wide array of sensitive data: it can extract Wi-Fi and app passwords stored in Keychain, collect browser cookies and autofill data, list system information and scan through personal folders such as…
Click Here to Read the Full Original Article at FOX News : Tech…