Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
In the Web attacks, which target
Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.
According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com.
Here is a Mac OS X user explaining the attack:
This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:
[ malicious URL deleted ]
And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.
I’m only going to websites that are directly linked off the main page of digg.com, so they’re not obscure, and I’m surfing in firefox, though the system wide clipboard is getting taken over, so I can’t even copy something over that from a program like TextEdit.
The 5th post on this MSNBC.com forum shows what happens when a victim is tricked into pasting — and spamming — the malicious link to help spread the rogue security software.
In a nutshell,
it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening.
If that’s not scary enough, consider than the average end user would have no idea what’s going on during a Clickjack attack.
Ebay, for example, would be vulnerable to this since you could embed javascript into the web page, although, javascript is not required to exploit this. “It makes it easier in many ways, but you do not need it.” Use lynx to protect yourself and don’t do dynamic anything. You can “sort of” fill out forms and things like that. The exploit requires DHTML. Not letting yourself be framed (framebusting code) will prevent cross-domain clickjacking, but an attacker can still force you to click any links on their page. Each click by the user equals a clickjacking click so something like a flash game is perfect bait.
According to Hansen, the threat scenario was discussed with both Microsoft and Mozilla and they concur independently that this is a tough problem with no easy solution at the moment.
Grossman confirmed that the latest versions of Internet Explorer (including version 8) and Firefox 3 are affected.
In the meantime, the only fix is to disable browser scripting and plugins. We realize this doesn’t give people much technical detail to go on, but it’s the best we can do right now.
Security researcher Aviv Raff has created a proof-of-concept demo to show how easy it is to use Flash with ActionScript code to load (persistently) a malicious URL into a target clipboard. (BEWARE: If you click on the demo link, your clipboard is automatically hijacked and will only be released if the browser window is closed).
DEMO: http://raffon.net/research/flash/cb/test.html
ClickJacking...everyone is vulnerable...
Reply With Quote
