August 18, 2008

Web Attack Targets Users Clipboards

Computer users are being warned about possible attacks that take control of clipboards where copied text is stored.

The recent attack stores a hard-to-delete weblink into the clipboard. If users follow the weblink, they will be led to a site selling fake security software. It affects both Windows and Mac users of the Firefox web browser.

The attacks became more noticeable after victims reported that a weblink that appears in the clipboard in place of text they thought they had placed there.

The code that inserts the link has been found in flash-based adverts seen on many legitimate websites.

It seems to work by exploiting Adobe Flash files used to make display adverts in such a way as to endlessly flush the clipboard of other text and constantly re-insert the malicious link in its place.

Some users report being able to get rid of the link by simply re-booting their machine, and others said they were able to stop it only by killing the Firefox process thread.

"It's an interesting attack, but doesn't seem to be very widespread at the moment," said Mikko Hypponen, chief research officer at security firm F-Secure. "I don't remember seeing this before."

"It is a pretty clever technique," he said. "Our work would be so much easier if our enemy would be stupid."

Chris Boyd, director of malware research at Facetime Security, said he had been following the attack for several days.

Mr Boyd said he had seen many spam e-mails being sent out that had links to sites hosting the booby-trapped adverts.

"There's been quite a rash of rogue antivirus hijacks lately related to the fake CNN/MSNBC spam," he said.