The ongoing zero-day attacks against Internet Explorer users have taken an ominous social-engineering twist.
The ongoing zero-day attacks against users of Microsofts Internet Explorer browser
have taken an ominous, social-engineering twist.
According to an alert issued by Websense Security Labs,
in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
One version of the spammed e-mail seen by eWEEK contains a portion of a BBC News item
published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar.
After the legitimate excerpt, the hackers embedded a "read more" link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail.
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability
to download and install a keystroke logger without any user action.
The keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker. It appears that this is the work of a well-organized identity theft ring, stealing bank log-ins and other sensitive user information.
Click here to read more about drive-by attacks on the Internet Explorer vulnerability.
The latest twist comes almost a week after the first wave of attacks started dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims computers remotely by sending specific commands via IRC (Inter Relay Chat) channels.
The earlier exploits were being launched from several legitimate Web sites that were hijacked and seeded with malicious code. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.
Microsoft, in Redmond, Wash., has described the attacks as "limited in scope" and said it plans to ship a comprehensive browser fix on April 11.
The company is also mulling a plan to release an emergency, out-of-cycle update prior to next months Patch Tuesday.
In the absence of a Microsoft patch, two well-respected Internet security companieseEye Digital Security and Determinahave released unofficial hotfixes
to provide temporary protection for IE users.
Since the release of eEyes third-party patch on March 28, the company has counted more than 92,000 downloads.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.