Beware of BBC news scam  

redmustang91 58M  
8986 posts
4/1/2006 11:33 am
Beware of BBC news scam

The latest trick to exploit Microsoft Explorer flaw is a scam where you click on a BBC news link and you install a key logger. Nasty. Microsoft claims a fix by April 11! Read more here:

BBC stories used as bait for IE exploit
By Joris Evers
Cybercrooks are spamming e-mail messages to trick people into visiting malicious Web sites that exploit a recent Internet Explorer flaw, experts warned Thursday.

The Web sites take advantage of the vulnerability in the omnipresent Microsoft Web browser to install a keystroke logger on vulnerable computers, according to San Diego-based Websense Security Labs.

"This keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker," Websense said in an alert. The malicious software could capture log-in names and passwords for the sites, information criminals could sell or possibly use to plunder a victim's account.

The e-mail messages used to lure people to the Web sites contain excerpts from BBC news stories and offer a link to "read more," Websense said. This link leads to a forged BBC Web page where the malicious software is dropped onto a vulnerable PC by exploiting the "createTextRange()" vulnerability in IE, according to Websense's alert.

The vulnerability has to do with how Internet Explorer handles the createTextRange() tag in Web pages. Since the flaw was disclosed publicly last week, more than 200 Web sites have been found to exploit it. These sites typically install spyware, remote control software and Trojan horses on vulnerable PCs.

Microsoft has said it is working on a fix for the browser. That update is currently scheduled for delivery April 11, Microsoft's regular monthly patch day. However, the Redmond, Wash., company has said it's considering an earlier release.

Meanwhile, two security companies have beaten Microsoft to the punch. eEye Digital Security and Determina both released unofficial fixes for the IE flaw earlier this week. Experts, however, have warned users to be cautious with non-Microsoft fixes and instead suggest using a Web browser other than IE, or disabling Active Scripting, which is also Microsoft's advice.

Become a member to create a blog