Infected web ads are poisoning Mac and Windows users' clipboards with URLs, researchers said Tuesday, in a "very cunning" attack designed to trick people into visiting sites touting bogus security software.
Flash-based ads that have been infected with malicious script and somehow inserted into the web advertising ecosystem are planting the URLs into clipboards on both Macs and PCs running Windows, said Graham Cluely, a senior technology consultant with UK-based security vendor Sophos.
"We do think that Flash is the technology being abused," said Cluely, "because it does have a facility to put content into people's clipboards." The most likely method, another Sophos researcher said earlier Tuesday, is the "setClipboard" Flash command.
Users have reported seeing their clipboards repeatedly stuffed with strange URLs after visiting legitimate websites, said Cluely, which led him to believe that the source of the clipboard poisoning was infected ads. "The attackers have somehow managed to insert malicious adverts into the system," added Cluely. "That's not unusual."
With the malicious URL embedded in the clipboard, the next step is up to the user. When the contents of the clipboard are pasted into, say, the address bar of a browser, the user can be taken to the malware distribution website.
"People are pasting links all the time," said Cluely. "If you're in an instant message conversation with someone, and they say, 'Here's that link I was talking about,' you're more likely to believe it's legitimate. It's very cunning."
Users on several forums, including one of Apple's support forums, have reported the clipboard poisoning.
"When I say 'taking over my clipboard' I mean it appears on my clipboard and can't be removed," explained Andrew Sinclair on a Leopard support thread. "Whenever I paste, that's what gets pasted. If I copy something else and then paste, whatever I copied isn't actually copied and that string is what gets pasted."
Chris Thornton, the creator of ClipMate, a Windows clipboard add-on, also ran across the trick.
"This spreads their URL," he observed in a post to the ClipMate support forum. "If someone replies to an email, they paste from the clipboard, and get the URL. Maybe they catch it, maybe not. Likewise with blog posts, guestbooks, comments, Facebook. They're hoping that when you paste, you paste their crap, and it gets through."
Thornton said his clipboard had been hit after visiting the website of the MSNBC cable news channel.
The URLs, said Cluely, all lead to sites pitching phony security software. So-called "rogue" security programs either make bogus claims that the user's machine is infected with malware in an attempt to dupe people into buying the software, or in some cases, downloads malware rather than real anti-virus software.
Users can flush the clipboard by shutting down the browser, or in some cases, by closing the browser tab with the infected Flash ad.
"Companies should also run some kind of web filtering solution," recommended Cluely, "to block the pages that are putting out these fake security programs."