Skip to content

cybersecrs/hijack-test

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

This gem is update of CLIT, but name is taken and I found this one more understandable about what it does

Gem Version

Introduction to Clipboard Hijack Tester

Clipboard is always a good resource to steal data. Passwords and bank accounts were targeted in past, and cryptocurrencies in last few years. This is hard to determine since there's no server for communication, it doesn't care about your files, it's only purpose is to wait for you to copy BTC address to make a payment, to steal your coins.


How to Run

Clone repository and run bin/setup to install dependencies:

git clone https://www.github.com/cybersecrs/hijack-test && cd hijack-test && bin/setup

This will download source of hijack-test and install:

  • notify-send
  • spd-say
  • gem 'clipboard'

If you have notify-send and spd-say, you can run:

bundle install
or
gem install clipboard

To install gem locally run:

gem install hijack-test

This is not recommended way to install, until I create list of addresses to use, not just one

Edit patterns for more security. Maybe someone put this address to avoid hijack-test.

Open lib/hijack-test.rb and edit lines:

BTC   = 'change btc address here'
EMAIL = 'change email address here'

Execute once

ruby bin/hit

Execute every "n" seconds (default 1 hour):

ruby bin/hit -s
or
ruby bin/hit --start

To change sleep time, edit number of seconds in bin/hit on line 12:

sleep(3600)

How Clipboard Hijacker Work?

There are many ways to create malware that steal or change clipboard data, and all of them use different techniques to manipulate system clipboard api. Earlier this year Ruby Gems Website was filled with fake gems that include clipboard hijacker. It was found in 720 ruby gems, and malware targeted windows users only. It monitor users clipboard, and if it recognize string similar to BTC address, it change your clipboard data to one of many addresses from the list (recognition in this malware is based on regex). Hopefully, it's removed after two days and nobody lost their money. But that's for 2020 only, because Ruby Gem's was under the same attack 2018 and 2019. They also think the attack was performed by same people.

Check 'CLISTER' repository for proof of concept how hijackers work

This script use CryptoAddress Gem to determine if clipboard data is valid address. If address is valid, it's changed with one you defined.


How To Protect?

Get software that check your clipboard for changes when bitcoin address is copied. I didn't found one, so I've created Hijack-Test Gem. This is in early development stage, but do it's job and test your device for Bitcoin address and E-mail address patterns. If copied and pasted addresses are not same, you'll receive alarm with sound and visual notification, and error in terminal window.


Contribution

If you like this gem, feel free to share it with your friends, so more people can use it.
cybersecrs.github.io