An online clothing shop linked to FBI Director Kash Patel went offline on Friday after it was found distributing an Infostealer to visitors. The shop, called Based Apparel, was compromised by hackers to trick macOS users into downloading this specific type of malware that steals private data.
How this ClickFix Attack Works
The unknown hackers involved in this campaign used a deceptive technique known as a ClickFix attack. When a user visited BasedApparel.com, the website displayed a fake warning page designed to look exactly like Cloudflare, a website security company that runs anti-bot “Verify you are human” checks.
The fake page told users that unusual web traffic was detected and asked them to complete a CAPTCHA test. To do this, the site gave highly unusual instructions and told visitors to open Terminal, which is a built-in utility on Mac computers used to execute system commands.
The website showed a button that said “Copy,” claiming it would copy a simple phrase like “I am not a robot.” Instead, clicking the button copied a long piece of obfuscated text. The website then instructed the user to paste this text into their Terminal, and when it is pasted and run, the hidden code executed a shell script that connected to the hackers’ C2 domain. The malicious script was designed to drain crypto assets from digital wallets and steal sensitive session tokens and browser data.
Discovery, Website Shutdown, and Coming Back Soon Message
A web user based in Portugal first spotted the attack on Thursday. Later, researchers managed to replicate the attack while navigating the store on a MacBook using the Chrome browser. However, by Friday, BasedApparel.com was completely down, displaying a message stating the store would be back online shortly.
It remains unclear whether any visitors lost data due to the cyberattack, given that it attracts so much traffic. Internet traffic data from the research firm Ahrefs reveals that the store, co-created by Kash Patel and Andrew Ollis before Patel became the head of the FBI, gets about 33,600 visits every month.
At the time of writing, the website was online, only displaying a one-page message stating “We’ll Be Right Back. We’re making improvements to better serve you. The store will be back online shortly – bolder than ever. Back Soon, Stay Based.”
This is also not the first time Kash Patel has appeared in cybersecurity-related headlines. Last month, the Iran-linked Handala hacker group breached Patel’s personal Gmail account and leaked private photos and documents. Nevertheless, if you visited the malicious website, you should scan your browser and device for infostealer malware.
