August 18th, 2008
Adobe Flash ads launching clipboard hijack attack
Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.
According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.
Here is a Mac OS X user explaining the attack:
This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:
[ malicious URL deleted ]
And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.
I’m only going to websites that are directly linked off the main page of digg.com, so they’re not obscure, and I’m surfing in firefox, though the system wide clipboard is getting taken over, so I can’t even copy something over that from a program like TextEdit.
The 5th post on this MSNBC.com forum shows what happens when a victim is tricked into pasting — and spamming — the malicious link to help spread the rogue security software.
Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
