Clipboard Hijacking attacks and How to Prevent Them
By Loren Rozenbloom, 1/06/2023
Target: IT Professionals
Tags: Malware, Clipboard attack
Computer clipboard hijacking attacks occur when an attacker gains unauthorized access to the clipboard of a computer to intercept or modify the data being copied and pasted. This type of attack can be carried out through various means, such as by exploiting vulnerabilities in the operating system or by using a malicious program or script.
One common type of clipboard hijacking attack involves a Trojan or malware program. The malware may be disguised as a legitimate application or downloaded unknowingly by the user through a phishing email or website. Once installed on the computer, the malware can monitor the clipboard activity, and intercept or modify the data being copied and pasted.
Here are some examples of malware that have been known to use clipboard hijacking techniques:
- Zeus Panda: This is a banking Trojan that is capable of stealing login credentials and other sensitive information by intercepting the data on the clipboard. When the user copies their login information into the clipboard, the Trojan replaces it with a fake set of login credentials, which are then sent to the attacker.
- TrickBot: This is another banking Trojan that uses clipboard hijacking to steal sensitive information such as credit card numbers and login credentials. The malware monitors the clipboard activity and intercepts the data being copied and pasted, which is then sent to the attacker.
- CryptoShuffler: This is a type of malware that targets cryptocurrency wallets by intercepting the clipboard data and replacing the legitimate wallet address with a fake one. When the user tries to transfer cryptocurrency to the wallet address, it is instead sent to the attacker’s wallet.
- Clipboard Ghost: This is a clipboard hijacking malware that can intercept data being copied and pasted and replace it with malicious code or links. The malware can also inject code into the clipboard data to execute malicious commands on the user’s computer.
- Malicious Tor Browser– Recently malicious Tor Browser installers targets Russians and Eastern Europeans with clipboard-hijacking malware that steals infected users’ cryptocurrency transactions.
Another type of clipboard hijacking attack involves the use of a website or web application. In this case, the attacker may embed malicious code into a webpage, which can then access the clipboard data of the user’s computer when the user copies or pastes information from the webpage. This can allow the attacker to steal sensitive information such as login credentials, credit card numbers, or other personal data.
To protect against clipboard hijacking attacks, it is important to take several measures, such as:
- Use an antivirus or anti-malware program to detect and remove any malicious software on your computer.
- Be cautious when downloading and installing software from untrusted sources and avoid clicking on links in suspicious emails or websites.
- Keep your operating system and software up to date with the latest security patches to minimize the risk of vulnerabilities being exploited.
- Use a password manager to store and automatically enter login credentials, rather than copying and pasting them from a clipboard.
- Clear your clipboard regularly to remove any sensitive data that may have been copied and prevent it from being accessed by unauthorized parties.
- Use Isolation technologies (Please see our blog)
BUFFERZONE® Safe Workspace™ is a suite of prevention capabilities based on application isolation technology that includes Safe Browsing, SafeBridge® (Content Disarm and Reconstruction capabilities), Safe Removable (USB attack prevention), all combined with clipboard security. Safe Workspace™ virtual container is created by a kernel driver, which virtually separates the operating system into two logical zones. The first zone is the trusted zone, which is connected to all the organization’s networks and the operating system’s files. The second zone is called the untrusted zone, which acts as a buffer zone where different applications can securely run isolated from the trusted zone’s memory, files, registry, and processes. This method offers advantages such as low CPU and memory footprint, high quality of experience, and the ability to seamlessly work inside the virtual container without noticing that you are protected from browsing and USB threats. BUFFERZONE® is the only virtual containment solution that works based on six patented technologies.
The solution prevents clipboard data from coping from the trusted zone to the untrusted zone where the user is browsing and opening new attachments. By using an advanced isolation solution, the organization’s content is secure. Downloaded attachments are isolated, while antivirus and EDR (Endpoint Detection and Response) solutions can always scan the untrusted virtual zone. The virtual environment can be cleaned in one click, eliminating any malicious traces.
In summary, clipboard hijacking attacks can pose a serious threat to the security of your personal and sensitive information. By taking the appropriate precautions and staying vigilant, you can help protect yourself from these types of attacks.