Attackers Use BBC to Exploit IE Flaw
Security firms are warning Internet users of a new method of attack that attempts to fool people into clicking on links to supposed BBC News stories. However, the page visited is a forged copy, and a keystroke logger is installed on the victim's computer through a vulnerability in Internet Explorer.
Attackers are taking advantage of an earlier discovered flaw in Microsoft's ubiquitous browser. The problem causes IE to interpret the "createTextRange()" method used for radio button controls in HTML forms incorrectly, allowing for malicious code execution.
WebSense Security Labs first sent out an alert on the issue Thursday. "This keylogger monitors activity on various financial websites and uploads captured information back to the attacker," the group warned in an updated advisory on the flaw.
Victims are lured to the fake BBC News pages by invitations to read the stories sent through e-mail. These messages may appear similar to those that the actual site sends out, so users should ensure they know the sender of the messages, WebSense said.
According to security researchers, other than the fake BBC News site, about 200 others exist on the Internet that are designed to exploit the new vulnerability. Most of them attempt to install spyware and malware on a victim's computer.
Microsoft says it is working on a fix for the problem, and is currently scheduled to release an update as part of its monthly patches on April 11. However, security firms believe the vulnerability is severe enough that some have released their own unofficial patches.