Sophos Cloud Optix
Malware that rummages through your clipboard is not new – after all, the clipboard is how you transfer data that’s important enough to move between two applications, so the contents of the clipboard are self-selectingly interesting to crooks.
In fact, in an amusing irony, the ⌘ key used on Macs for the copy-and-paste combinations ⌘C and ⌘V (the equivalent of Ctrl+C and Ctrl+V on Windows) is officially known in Unicode as the PLACE OF INTEREST SIGN.
Better yet for cybercrimals, but worse still for you, is that the clipboard is often the primary way that you “type in” critical machine-generated data that’s a hassle to enter character-by-character each time you need it.
You probably use the clipboard yourself all the time for “text strings of interest” such as passwords like P455\/\/()Rdz, invoices or account numbers like 2BBE-64-903555X2-B, and cryptocurrency payment addresses like 1J87dFm62avMYZjWaituZTw9PXBvaguEMr.
We recently wrote about a malware sample with the unassuming name of Troj/Agent-AZHF that spies on your clipboard specifically to look out for cryptocoin addresses that you’re about to send money to – it knows how to recognise addresses for Bitcoin, Dogecoin, Litecoin, Dash, Ethereum, Namecoin, Zcash and Peercoin.
Clipboard-manipulating malware might sound pretty unspohisticated at first, but it can steal digital content from you without the hassle of cracking passwords, reading cryptocoin wallets, peeking at private keys, and even without making any network connections to suspicious command-and-control servers.
Watch our video to learn how clipboard malware works, and what to do about it…
If you have any questions or comments about the video, please leave them below and we’ll do out best to answer them.
Thanks for watching, and remember: after you copy-and-paste, check twice, click once.
Ahhh… time for the YouTube-bashers to take their turn at the Complaints window! 😉
One habit I have gotten into is keeping a text editor window open and hidden at all times (BBEdit in my case) and pasting URLs, etc, from the clipboard into a disposable document to verify the clipboard holds what I want. I started doing this to get around the tracking junk that gets added to URLs; I paste the URL into the disposable text document, edit as needed, and re-copy to the clipboard. I now do that for other things because it makes a nice sanity check. It would be an easy intermediate step when copy/pasting cryptocurrency addresses or other sensitive information.
I do exactly the same (with BBEdit, too :-), mainly because it ensures that what you copy back out of BBEdit is exactly the text you see – no annoying formatting cleverness with fonts, colours, text sizes and so on, just plain old text…
…plus it makes sure that you haven’t copied a link that Google made to look like a direct link to someone else’s site, in its sesrch results, but that ended up, after copying, as some long, tracker-embiggened link that goes via Google’s own servers first.