There's a new malware spreading via email right now, and it targets Cryptocurrency users in Japan, the U.S. and elsewhere by replacing Bitcoin, Litecoin, Monero and Ethereum addresses stored in the Windows Clipboard with its own.
The new malware, called ComboJack after the way it attempts to make off with not one but multiple cryptocurrencies, take advantage of the simple fact that users would rather copy and paste their wallet addresses rather than type them in by hand.
Bitcoin addresses, for example, is made up of a jumble of letters and numbers that are 34 characters long. Ethereum addresses are even longer, at 42 characters long, but both of them have nothing on Monero. The addresses for Monero not only could differ in length across accounts, they could also come as strings 95 to 106 characters long, as Digital Trends noted.
It simply takes too long and is error-prone to type in these addresses by hand. Copying and pasting seem to be the obvious solution here, except that it's a user behavior ComboJack is designed to go after. When the malware detects an address being copied to the Windows clipboard, it replaces them with its own address.
Users who don't double-check what address they copied and pasted will then find their crypto being diverted elsewhere, usually when it's too late.
Researchers at Palo Alto found an email spam campaign spreading ComboJack around, one that is aimed at cryptocurrency users in Japan and America. The message, in broken English, claims that they left their passport in the office and sends a PDF file that supposedly contains a scanned copy of it for verification.
The PDF file contains an infected Microsoft Word document instead, one that carries a VBScript macro that will release ComboJack into the system when opened.
The vulnerability has been patched by Microsoft back in Sep. 2017, so updated Windows systems can avoid getting infected, as ZDNet noted. Still, it's better for users to be very careful of email attachments, especially for messages not directly addressed to them.