Clipboard Protection: Our Latest Defense Against Evolving Threats

The clipboard is a simple yet essential feature we use daily to copy and paste text, links, and other content. But what if this convenience turned into a cybersecurity risk? Cybercriminals have discovered ways to exploit this feature, making it a target for a range of sophisticated attacks. 

At Gen, we are committed to staying ahead of these threats. That’s why we’ve introduced a powerful clipboard protection feature in our antivirus stack. Now part of Norton, Avast and AVG, this feature proactively protects millions of users against threats like ClickFix and FakeCaptcha, all without requiring any action from our customers.

How Clipboard Attacks Work

Cybercriminals have developed sophisticated ways to manipulate the clipboard, often hiding their malicious intent in plain sight. Here’s how they do it:

• Exploiting Familiarity: Clipboard attacks rely on users’ comfort with copying and pasting, tricking them into pasting harmful scripts or links into their systems. Our new clipboard protection feature directly addresses this attack vector by scanning the clipboard content whenever something is copied from a webpage.
• Swapping Clipboard Content: Some malware, like clippers, replaces copied data with malicious content, such as fraudulent payment addresses or harmful commands.
• Stealing Sensitive Data: Infostealers monitor clipboard activity, capturing valuable information like passwords or credit card numbers.

By focusing on the first attack type, clipboard protection adds a crucial layer of defense to safeguard users during online interactions.

Real-World Threats: ClickFix and FakeCaptcha

Two of the most widespread clipboard-based attacks we’ve observed are ClickFix and FakeCaptcha. Both of these mislead users into copying a script to their clipboard and pasting it into a PowerShell terminal or a Run prompt, executing it.

• ClickFix: This malware tricks users into copying and executing malicious scripts, often disguised as fixes or solutions to technical issues.

• FakeCaptcha: A variant of ClickFix, this threat uses familiar CAPTCHA designs—like those seen with Cloudflare’s reCAPTCHA prompt—to deceive users into copying and pasting harmful code.

One common technique involves prompting users to paste the copied command into the Windows Run dialog. However, the malicious part of the command remains hidden, and the user only sees a benign-looking message like "Verify you are human," masking the underlying threat:

Introducing Clipboard Protection

To combat clipboard-based threats, we’ve added a new layer of defense to our antivirus stack. Here’s how it works:

• Automatic Scanning: The feature activates whenever a clipboard manipulation occurs on a website, scanning the content for malicious elements.
• Part of Script Shield: This functionality is integrated within the Script Shield component of our antivirus software.
• Browser Support: Compatible with Chrome and Firefox, covering over 70% of the browser market, and we’re committed to adding support for more browsers to enhance user security.
• No User Action Needed: Delivered through regular engine updates, ensuring all customers have the latest protection without lifting a finger. 

These clipboard-based attacks like ClickFix and FakeCaptcha have become one of the most prevalent attacks happening nowadays. We have earlier detection layers blocking millions of attacks, but this new protection goes beyond and serves as a safety net, catching threats that evade other detection methods.

This clipboard protection feature isn’t just for today’s threats—it’s designed to adapt. If cybercriminals develop new techniques tomorrow, this agnostic protection layer will continue to safeguard our customers.

It also helps us refine our detection strategies, enabling faster and more efficient responses to emerging threats.

The following heatmap showcases the global impact of Gen's clipboard protection, highlighting regions where the feature has successfully thwarted attacks. This visualization underscores the widespread prevalence of clipboard-based threats and the importance of having robust security measures in place.

The screenshot below shows how Gen's clipboard protection actively safeguards users against clipboard-based attacks. In this instance, Avast identified and blocked a malicious script copied to clipboard on a webpage, attempting to deliver malware through clipboard manipulation. The alert highlights our solution's proactive approach, ensuring users are protected in real-time before harm can occur.

Tips for Staying Safe

While clipboard protection adds a robust layer of security, users should remain vigilant:

1. Keep Antivirus Up to Date: Regular updates ensure the latest protections are in place.
2. Be Aware: Recognize and avoid threats like ClickFix and FakeCaptcha.
3. Avoid Untrusted Software: Never execute scripts or code from unknown sources.
4. Spread Awareness: Share knowledge about these threats with family, friends, and colleagues.

Protecting Millions Without Lifting a Finger

With clipboard protection now part of the Gen antivirus stack, we’re not just meeting today’s threats; we’re anticipating tomorrow’s. This isn’t about updates; it’s about an unwavering commitment to progress, delivered without disruption. At Gen, we lead with innovation, ensuring that as cybercriminals adapt, we stay steps ahead—so you can navigate the digital world with confidence, knowing your security is our mission.