Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Mac, Windows clipboards poisoned by URL attacks
Networkworld ^ | By Gregg Keizer | 08/19/2008

Posted on 08/23/2008 7:25:48 PM PDT by Swordmaker

Infected Web ads are poisoning Mac and Windows users' clipboards with URLs, researchers said Tuesday, in a "very cunning" attack designed to trick people into visiting sites touting bogus security software.

Flash-based ads that have been infected with malicious script and somehow inserted into the Web advertising ecosystem are planting the URLs into clipboards on both Macs and PCs running Windows, said Graham Cluley, a senior technology consultant with U.K.-based Sophos.

"We do think that Flash is the technology being abused," said Cluley, "because it does have a facility to put content into people's clipboards." The most likely method, another Sophos researcher said earlier Tuesday, is the "setClipboard" Flash command.

Users have reported seeing their clipboards repeatedly stuffed with strange URLs after visiting legitimate Web sites, said Cluley, which led him to believe that the source of the clipboard poisoning was infected ads. "The attackers have somehow managed to insert malicious adverts into the system," added Cluley. "That's not unusual."

With the malicious URL embedded in the clipboard, the next step is up to the user. When the contents of the clipboard are pasted into, say, the address bar of a browser, the user can be taken to the malware distribution Web site.

"People are pasting links all the time," said Cluley. "If you're in an instant message conversation with someone, and they say, 'Here's that link I was talking about,' you're more likely to believe it's legitimate. It's very cunning."

Users on several forums, including one of Apple 's support forums, have reported the clipboard poisoning .

"When I say 'taking over my clipboard' I mean it appears on my clipboard and can't be removed," explained Andrew Sinclair on a Leopard support thread. "Whenever I paste, that's what gets pasted. If I copy something else and then paste, whatever I copied isn't actually copied and that string is what gets pasted."

Chris Thornton, the creator of ClipMate , a Windows clipboard add-on, also ran across the trick.

"This spreads their URL," he observed in a post to the ClipMate support forum. "If someone replies to an e-mail, they paste from the clipboard, and get the URL. Maybe they catch it, maybe not. Likewise with blog posts, guestbooks, comments, Facebook , etc. They're hoping that when you paste, you paste their crap, and it gets through."

Thornton said his clipboard had been hit after visiting the Web site of the MSNBC cable news channel.

Want to compare security products? Visit the IT Buyer's Guides now. The URLs, said Cluley, all lead to sites pitching phony security software. So-called "rogue" security programs either make bogus claims that the user's machine is infected with malware in an attempt to dupe people into buying the software, or in some cases, downloads malware rather than real antivirus software.

Users can flush the clipboard by shutting down the browser, or in some cases, by closing the browser tab with the infected Flash ad.

"Companies should also run some kind of Web filtering solution," recommended Cluley, "to block the pages that are putting out these fake security programs."


TOPICS: Business/Economy; Computers/Internet
KEYWORDS: forbiddenfruit
Navigation: use the links below to view more comments.
first previous 1-2021-33 last
To: Swordmaker

I did not know that. Thanks for the info.


21 posted on 08/23/2008 9:43:48 PM PDT by Inyo-Mono (If you don't want people to get your goat, don't tell them where it's tied.)
[ Post Reply | Private Reply | To 17 | View Replies]

To: Swordmaker

Yeah, I just tried it with several browsers on my Mac G5 quad OSX 10.4, the clipboard was captured and kept pasting “evil.com” (Hillary’s website??) into everything.

It flushed the clipboard when I closed the window.

Ed


22 posted on 08/24/2008 12:49:25 AM PDT by Sir_Ed
[ Post Reply | Private Reply | To 13 | View Replies]

To: Swordmaker

There is a solution to the problem: Look at the url you paste in the address box before you hit ENTER.


23 posted on 08/24/2008 12:52:28 AM PDT by Jeff Chandler (Merci beau coup.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: B Knotts
I hope someday, Flash will just go away. It’s just awful.

Wrong. Flash is good. Now PDF files...

24 posted on 08/24/2008 12:53:52 AM PDT by Jeff Chandler (Merci beau coup.)
[ Post Reply | Private Reply | To 20 | View Replies]

To: Swordmaker
he issue is technically true... but you have to read this phrase correctly: ". . . are planting the URLs into clipboards on both Macs and PCs running Windows . . ." The key is that Macs, running Windows, are vulnerable to having the Windows' clipboard taken over!

That's just sloppy writing. The vulnerability is in Flash, which has the ability to access the clipboard on both operating systems (and Linux, too).

If you have a Photobucket account, you've probably used the Direct Link facility they put below each image. Click it, and it copies the picture URL to the clipboard. If you examine the underlying code, you will find it uses Javascript to access an included .swf, which does the actual copy operation.

25 posted on 08/24/2008 1:02:16 AM PDT by cynwoody
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
I presume this exploit operates by looping the javascript code in the flash to repeatedly copy the bogus URL into the clipboard. That's why the exploit vanishes when you close the browser window.

I really wish there was a way to send a large EMP into the servers owned by these spammers. I'd like to tase the spammers too for good measure!

26 posted on 08/24/2008 4:33:35 AM PDT by 6SJ7
[ Post Reply | Private Reply | To 10 | View Replies]

To: Jeff Chandler

Flash needs to be replaced with something open. For crying out loud, Adobe *still* hasn’t released a 64-bit Flash player!


27 posted on 08/24/2008 6:24:18 AM PDT by B Knotts (Calvin Coolidge Republican)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Jeff Chandler
"Wrong. Flash is good. Now PDF files... "

So you're the guy spreading all the Flash malware.

/kidding

28 posted on 08/24/2008 7:14:18 AM PDT by HangThemHigh (Entropy's not what it used to be.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: 6SJ7
"I presume this exploit operates by looping the javascript code in the flash to repeatedly copy the bogus URL into the clipboard. That's why the exploit vanishes when you close the browser window."

Yes, if you open the clipboard viewer (clipbrd.exe) with the site open, you can watch the clipboard being rapidly over written with the infected URL. Navigate away from the site and the clipboard contents stay, but can be overwritten by the user.

29 posted on 08/24/2008 7:21:46 AM PDT by HangThemHigh (Entropy's not what it used to be.)
[ Post Reply | Private Reply | To 26 | View Replies]

To: Swordmaker

I believe I have witnessed the end-result of this very problem. I have received numerous messages on facebook from folks I know, that have a short three or four word message, and a long crazy looking url. While the URLs appear to be different, they all go to the same fake video hosting “page” that if you click ANYWHERE on the page, it downloads an exe file that appears to be a pretty ugly bug.

The friends I have received this from are all pretty good folks who would not intentionally pass on such trash. I suspect they used one of the apps on facebook to send something to all their friends - and the malicious url was put through instead.

Or the problem is completely unrelated - but sure sounds so (notice the reference to facebook in the text).

Of course, as I sit here typing on my iBook, I’m not worried about the .exe file sitting on my desktop.

Anyone want me to send you the file????


30 posted on 08/25/2008 7:29:38 AM PDT by TheBattman (Vote your conscience, or don't complain about RINOs!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: jsc572
NoScript will not block flash script exploits. The best security combo for Firefox is AdblockPlus+NoScript+FlashBlock. And if you are really surf paranoid, get ImgLikeOpera extension for FF too, it lets you block all graphics (to avoid rare GIF exploits).

Thank you for this tip. I use Firefox and have only run NoScript until I saw this post. I'm amazed at how much faster my ad-heavy homepage loads now. Much appreciated.

31 posted on 08/25/2008 7:41:06 AM PDT by Colonel_Flagg ("We are the people." - Psalm 95:7)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Swordmaker

Lynx doesn’t seem to suffer from this problem. ;)


32 posted on 08/25/2008 11:20:50 AM PDT by Question_Assumptions
[ Post Reply | Private Reply | To 10 | View Replies]

To: Colonel_Flagg

No problem, don’t forget to subscribe to filter list for ABP to eliminate 99% of the ad junk out there, I personally prefer Rick’s Easylist.


33 posted on 08/25/2008 12:14:13 PM PDT by jsc572
[ Post Reply | Private Reply | To 31 | View Replies]


Navigation: use the links below to view more comments.
first previous 1-2021-33 last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson