Clipboard Hijacking Attacks and Vulnerability Analysis in Current Financial Transaction Systems
The malicious access to the clipboard would let hackers collect personal information of hacked users, such as post address, email address, phone number, Social Security Number, account number, and password. Also when hacker gains control of personal computer’s clipboard, they can replace its contents for insidious intention. For example, when hacker find the strings in the clipboard resembling Bitcoin and Ethereum addresses or bank account, they’ll replace them with ones owned by the hackers. Then the cryptocurrency or money will be transferred to hacker’s account. Like this, the aftermath of intercepted clipboard’s control would be disastrous because abuse of those information would result in financial victims.
In this post, my objective is to analyze the threat and the process of the clipboard hijacking and identify solutions to prevent further damage of personal data leakage and financial loss. It mostly consists of experiments with using clipboard on several browsers while some simple codes are running in the process, and testing if the transaction system of bank web site and cryptocurrency wallet are well prepared for further threats.
What is the clipboard?
A section of RAM(Random Access Memory) in which your computer stores user’s copied data. The contents of copied data can be of text, an image, a file, or any other type of data.
The data is stored in clipboard whenever a user uses the ‘copy’ function, which can be found on most of the applications. Data stored in the clipboard can be put into other applications such as documentation program by using ‘paste’ function, which also can be found on most of the applications.
Practice: How to hijack the clipboard and manipulate it using Pyperclip
There are mainly four approaches I’m going to take:
1) Get control of clipboard using pyperclip
2) How to change the contents of the clipboard
3) Save the contents of the clipboard to csv file
4) Send the contents of the csv file to the attacker’s email when certain condition is met
‘Pyperclip’ is a cross-platform Python module for copying and pasting text to the clipboard. Just installing and importing the library is enough.
i) Get control of clipboard using pyperclip
You need to install and import the pyperclip library to use this code.
What I did is making a “while” iteration statement which recognizes the newly updated clipboard contents continuously. At the first line, the content saved in clipboard is pasted to tmp value variable by pyperclip.paste() call. This is the starting point of clipboard hijacking.
ii) How to change the contents of the clipboard
Next step is changing the contents of the clipboard to what the attackers want. In case of bank account, there are certain length of account number and patterns for each bank. These patterns shown below per each bank can be easily found on the internet.
For example, Shinhan Bank, the popular bank in Korea, has the defined account codes for each use and the length is mostly 12 and 14 for only virtual account which is used by corporation to collect payments from a large number of their customers. So if you hijack that virtual account number and change it with your virtual account, you can intercept the money which should be transferred to a company.
So, writing this simple code is enough to detect the Shinhan Bank account number copied in clipboard and to replace them with attackers Shinhan bank account number which looks so similar that hard to distinguish between changed one and original one within a short moment. Append a list of possible first three bank code using the for statement in the list variable named ‘shinhan codes’. Next, check that the length of the content stored in the clipboard is 12 or 14 and that the first three characters of it match the elements in the list. If somebody copies someones account number to transfer money and cannot detect it changed when pasted, he or she would lose their money. Cryptocurrency like Bitcoin or Ethereum has account number either. Cause they have a pattern for their addresses, this attack that hijack the clipboard and change it could be easily applied. In case of cryptocurrency, because of its complexity of address, it is more hard to distinguish and they cant even check receivers name when they try to transfer the coin. Special care is needed to protect their property
iii) Save the contents of the clipboard to csv file
When an attacker gets the control of clipboard, they can collect sensitive information by adding simple code.
After checking the contents of the clipboard, the attacker can save it in person.csv using saveInfo() function. Just call this function when needed. In this code, its called when the copied contents is not related to account numbers or a cryptocurrency wallet addresses. Namely, the saveInfo() function is called when the contents of clipboard is not changed.
iv) Send the contents of the csv file to the attacker’s email when certain condition is met
Just saving information in victim’s computer isn’t useful enough. Attackers must take it to their computers to take advantage of further attacks. What I did for that is making a ‘helper’ module.
The module uses ‘smtplib’ which defines an SMTP client session object that can be used to send mail to any Internet machine and ‘MIME’ of email library which extends the format of email. All the these are implemented in sendEmail() function. Just calling the sendEmail() function when certain condition is met would be enough.
This is the part of the main function. I used counter to limit the number of hijacked data stored in csv file. I set up a counter condition to send an email to me every time the program intercepts five data, and then initialize the csv file to an empty file to remove the trace. And it starts to accumulate the data again in the person.csv file when the saveInfo() function is called again.
The contents of the received mail are as follows. It has 5 contents and the subject of the email is ‘Today’s hijack’ as it is stated in the sendEmail() function.
Security check for clipboard hijacking in various environment, applications
In this section, I’ll do a sort of experiment. I need to check whether this program works well when applied on the real cryptocurrency wallet or bank site. I executed the python script on various environment. The following are the operating systems, browsers, and applications I used for testing:
OS: MacOS(High Sierra), Windows(Window 10)
Browser: Chrome, Firefox, Safari(MacOS), Internet Explorer(Windows)
Wallet plugin: Bitcoin Wallet, Badger Wallet, Metamask, ICONEX
Bank: Shinhan Bank(South Korea)
Vaccine Software: AVG(MacOS), V3(Windows), Alyac(Windows)
Note that there are plugins that are not supported by certain browsers. Sadly, Internet Explorer(IE) and Safari don’t support any kind of cryptocurrency wallet. The following table shows the status of the browser whether each of them supports the cryptocurrency wallet or not.
When it comes to method of running program, I chose to run the Python script as a background process so that it would not be caught easily by the user. It’s very simple. If script name is ‘hijack.py’, use following command
python hijack.py &
The ‘&’ character helps you run the python script as background process. If you type that command on the terminal, you can get the processID like this.
Then, you can find this process on the Activity Monitor with the given processID.
When you want to kill it, type command ‘pkill -f hijack.py’ which kills the process with the file name ‘hijack.py’. Now, everything is prepared for the test.
Test # 1: Can Vaccine Software save us from the clipboard hijacking attack?
For window OS, I installed the most popular vaccine software ‘V3’ and another famous vaccine software ‘Alyak’. For MacOS, I found the popular vaccine called ‘AVG’. I checked if these anti-virus software can detect the strange behavior changing the contents of the clipboard and warn me while the script is running. But there weren’t any vaccine that detect script.
Test # 2: Cryptocurrency, is it secure from clipboard hijacking?
I installed four plugins(Bitcoin Wallet, Badger Wallet, Metamask, ICONEX) and tested them in two browsers, Chrome and Firefox for each OS. Steps are follows:
1. Sign up for each wallet to get address
2. Run the hijacking script
3. Copy any of the wallet address or bank account
4. Paste it to anywhere
5. See if it changed to attacker’s address
Results were terrible. The clipboard was completely hijacked while running the cryptocurrency wallet. When I clicked the address ‘copy’ button or manually copied it, the contents of the clipboard were changed to the address I set earlier. There’s no wallet supporting the virtual keyboard or security program running on browser which checks the malicious background process. The more sophisticated the condition statement part of the code will be, the more various kind of wallet address will be detected and be manipulated by attackers. It seems urgent to adopt a security program that detects the process of running this kind of malicious code in cryptocurrrency Wallet.
Test # 3: Bank, is it secure from clipboard hijacking?
All South Korea banks require installing several security programs in order to use online banking. I’m gonna look through Shinhan Bank’s security in terms of clipboard hijacking.
These are the list of required security programs to do online banking in Shinhan bank. There was no difference on the required programs between MacOS and Windows. Shinhan online baking services is available on Internet Explorer(IE), FireFox, Safari, Chrome, Opera, etc. Note that the fourth item in this list, ‘TouchEnNxKey’ is something about the virtual keyboard. After accessing to money transfer service page, I ran the clipboard hijacking script. Although the ‘AhnLab Safe Transaction’ firewall was running, it cannot stop the python script changing the clipboard contents when I copy the bank account number. However, when I tried to paste account number into deposit account number form, a virtual keyboard appeared. This is the program ‘TouchEnNxKey’ installed earlier stage.
By using a virtual keyboard, it was able to prevent clipboard hijacking. This program fundamentally blocks the risk from any kind of hacking regard to keyboard input like keyboard logger, clipboard hijacking by letting the user input with only the mouse through the virtual keyboard screen without using the real keyboard. It also provides the encryption function for the input data. It is used in almost all banks in South Korea. I can tell transferring ‘money’ on bank’s web environment is fairly safe from clipboard hijacking.
Evaluation
I’ve tried to hijack the clipboard and looked over how it could be used by attackers. Under the premise that I executed the program secretly on the victim’s computers, it worked perfectly on the popular cryptocurreny wallets with very short script. With a few additional code, it stores into database whenever ‘copy’ event happens and then sends to attacker’s email. Security researchers at ‘BleepingComputer’ found this kind of malware that monitors 2.3 million cryptocurrency wallet addresses and replaces the addresses with the hackers. The way to prevent the clipboard hijacking attack is that users should update anti-virus solution and double check the copied addresses. On the other hand, in case of South Korea bank system, it fundamentally block principle of clipboard hijacking. In stead of a real keyboard, the bank provide a virtual keyboard. Even though the contents of clipboard are changed by the script when the user copies the account number, there’s no possibility of pasting the changed one. Therefore, I can suggest using this virtual keyboard as a way to prevent the clipboard hijacking attack in cryptocurrency transaction. Of course, there’s a security issue with the virtual keyboard either. Key logger is the one. However, a security solution company that developed the ‘TouchEnNxKey’ said this virtual keyboard is safe from various kind of key loggers by encrypting input data.
Conclusion
This post shows how easily you can get the control of clipboard with very small script and how can attackers use this with bad intention. Unlike the existing banking system which has been committed to security from various kind of attack, relatively newly developed cryptocurrency wallet plug-in seems to be very poor in transaction security system. As the blockchain industry becomes commercially available, more cryptocurrency transactions will occur. Security programs which can detect process hijacking and changing the contents of the clipboard or provide the virtual keyboard is needed in current wallet plug-in systems. Until then, user’s special care is necessary.
