Mystery web attack hijacks your clipboard
No, Macs are not immune
A new web-based attack is making the rounds that tries to spread poisonous links by hijacking end users' clipboards.
Forum discussions here, here, here, here and elsewhere all report the same thing: the commenter surfs to a seemingly legitimate site (MSNBC.com comes up more than once) and suddenly a malicious link is copied to the clipboard. The rogue link remains even after the user copies a new batch of text. The only way to remove it is to reboot the computer.
The attack has been reported by Firefox users running both OS X and Windows, but we wouldn't be surprised to hear that other browsers and operating systems are also vulnerable. It's unclear exactly how the attack spreads. The Spyware Sucks blog posits here that banner ads transmitting bad Adobe Flash code is responsible, and that makes sense to us.
If you've encountered this attack, please leave a comment below detailing exactly where you encountered it.
Those behind the attack appear intent on propagating a link (for the record, it's xp-vista-update.net, but we recommend staying away) that claims users' PCs are petri dishes hopelessly infected with malware unless they are immediately cleaned by a fraudulent anti-malware program. By permanently attaching the link to the clipboard, attackers are betting the user will paste it in emails, blog posts or directly into a browser's address bar.
Attacks like these are another reason why running the NoScript extension on Firefox makes a lot of sense. It's not perfect, but it can insulate you from a huge amount of the attack code floating around on the web. ®
Re: Why cut and paste?
@ C Benjamin
I would like to believe that at least the majority of IT managers are familiar with copy and paste keyboard shortcuts.
Why cut and paste?
Because many of today's IT managment products are using browser based interfaces. For those Sysadmins using them you end end up doing a lot of cut and paste as a time saving maneuver to make sure you have a) entered the information in correctly and b) you can add more then one entry at once or you are adding multiple lines to queries/functions.
Of course, it would be far too difficult to expand the redirect page to check what OS you're running and provide an OS-based scan, or to offer a Mac download? The whole point is that it scares users into downloading something they don't need, pay for something they don't need (ie put their card details into the site, so not just paying for one thing), and possibly screw their PC by downloading it. If a user is prepared to download and run something, once they run it and get told it might be unsafe they'll probably still run it won't they?
Even worse, there's not going to be any AV on a Mac already to pick it up as dangerous. I'm not the biggest fan of Macs, but you have to be able to see that there is roughly the same (high) percentage of naive Mac users as PC users. As Macs get more popular, it's only a matter of time before a scam like this is adapted for Macs, it just makes sense.