Select Page

Just like the paste that you liked to eat in kindergarten, pasting directly from web pages may be bad for you too.

In short, don’t trust copy and paste from web pages, it’s no longer safe.  Malware attacks are getting trickier and trickier with more methods of infection appearing every day.  Some of the latest in the growing attack trends are “pastejacking” attacks.

Pastejacking is a technical variation of the old bait and switch.  You copy one thing from web page but when you paste it you get something else.  That ‘something else’ includes not only your desired web contents, but also a malware installer.  From there on, your machine is infected and ickines ensues.  There are two major variants of this type of attack; Pastejacking with Javascript, and Pastejacking with CSS.

Pastejacking with Javascript

Javascript is used in a large portion of the webpages on the Net.  It is used to do all sorts of things like slideshows, drop down menus, flying-this and floating-that.  It is so popular that it is hard to find pages these days that do not use Javascript.

When you copy things from a web page you can either use the highlight-then-right-click-and-choose-copy method, or you can use highlight-then-press-Ctrl+C.  Either of these methods places whatever you highlighted into your workstation’s clipboard for you to paste wherever you want.  Pastejacking with Javascript, uses a malicious Javascript to watch for a copy event to copy to your clipboard, then the Javascript substitutes the contents of your clipboard for the same contents plus some malware installer code.  The attack doesn’t actually take place until you paste the clipboard contents into an application, like Word or Excel, that allows the malware installer code to run.  Once the malware installer runs, your workstation will likely become infected.

You can thwart this attack by turning off the loading of Javascript with a browser plugin like NoScript, but that rather drastic move breaks a lot of webpages from displaying correctly for you.  Even then, you can still be hit by a Pastejacking with CSS exploit.

Pastejacking with CSS

Like Javascript, almost every webpage that exists now uses Cascading Style Sheets (CSS).  These are sets of browser commands that format the webpage to look and act nicely for you.  CSS chooses what fonts to use, where to place certain page sections, how to display images and more.  CSS can also be used to position a part of the webpage to ‘appear’ behind something else, or even outside of the visible browser window where you can’t see it.  Yes, CSS can do that.  Something malicious may be hidden by CSS behind the text that you copy.  Again, you have to copy and then paste the offending part of the webpage in order for this to happen, so it’s the pasting that kicks off the downloaded code that infects your machine.

The Pasting Prophylactic

The simplest way to protect yourself is to ‘cleanse’ your clipboard material using a program that strips away any excess code and pastes only the text that you wanted.  Fortunately, every Windows machine comes with this cleansing program.  It’s called Notepad.  Notepad strips away formatting and any hidden code, including scripts, so that only text is pasted into Notepad.  It doesn’t have to be Notepad, of course, any text editor will do.  I like Notepad++.

Once you have pasted your web text into your text editor you can copy it from there  and then and paste it to the final destination.  This does mean that you will have to download any images separately since the text editor strips them out of the paste operation too, but I consider it a small price to pay for safety.

Naked Security did an excellent write-up of this if you want more info.