More evil flash banner ads, this time they will hijack your clipboard.

It's been a while since we talked about banner ads being hijacked for malware spreading, sadly this does not mean that such banner tricks aren't around anymore. Here's a new twist - booby-trapped Flash banner ads can hijack your clipboard - feeding it a hard-to-delete (you must quit your browser) URL that points to a fake anti-virus program. If you are the type who copy-pastes a lot when you surf around the web, this will be super annoying.

Mac users, don't look smug - it affects us too. Apple forums has some discussions on it:

This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:
https:// ----evilsite-------
And once it's in the clipboard, I can't copy anything else over it until I've restarted the machine.

It's easy to use Flash with ActionScript code to load a malicious URL into a target clipboard says security researched Avid Raff and demonstrates it here (non-evil URL but at that link he will show you the clipboard hijack). See there is a snippet in Flash that you may use called System.setClipboard(), I have no idea what that was originally intended for. Flash documentation reads:

The System.setClipboard() method allows a SWF file to replace the contents of the clipboard with a plain-text string of characters. This poses no security risk. To protect against the risk posed by passwords and other sensitive data being cut or copied to clipboards, there is no corresponding “getClipboard” (read) method.

Right, except of course when people but evil URL's in your clipboard and trick you into visiting bad sites that way. Should we stop copy-pasting or will Adobe come to their senses and create a dialogue window warning that the clipboard is being used like they do when the Camera.get() or Microphone.get() are called?

In a related bad-viral outbreak, the website of popular magazine BusinessWeek has been attacked via SQL injection in an attempt to infect its readership with malware (this is not in the banners, but in the web pages). Worse, Help Net Security reports that "Sophos informed BusinessWeek of the infection last week, although at the time of writing the hackers' scripts are still present and active on their site." Clean it up already! Here's a demonstration video showing what happens.

So what can you dear end user do? Reject all flash based banner ads (which will mean that you'll miss out on those cool Apple banner ads) - either by rejecting flash outright or using ad-blocking plugins.

Previous Banner ad hijacking reports in Adland:
Banner hijacking still going strong - Adrants now victim to uplothario campaign.
Worst banner ad ever - system doctor takes over the browser
Hacking web banner networks sends banner ads from hated to feared

Adland® is supported by your donations alone. You can help us out by buying us a Ko-Fi coffee.
Anonymous Adgrunt's picture
Files must be less than 1 MB.
Allowed file types: jpg jpeg gif png wav avi mpeg mpg mov rm flv wmv 3gp mp4 m4v.
Dabitch's picture

AH, now that the post-lunch brain has kicked in, of course I know what that copy-call is intended for - all those embed this flash video buttons. Duh!