The ongoing zero-day attacks against users of Microsofts Internet Explorer browser have taken an ominous, social-engineering twist.
According to an alert issued by Websense Security Labs, in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
One version of the spammed e-mail seen by eWEEK contains a portion of a BBC News item published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar.
After the legitimate excerpt, the hackers embedded a “read more” link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail.
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.
The keylogger monitors activity on various financial Web sites and uploads captured information back to the attacker. It appears that this is the work of a well-organized identity theft ring, stealing bank log-ins and other sensitive user information.
The latest twist comes almost a week after the first wave of attacks started dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims computers remotely by sending specific commands via IRC (Inter Relay Chat) channels.
The earlier exploits were being launched from several legitimate Web sites that were hijacked and seeded with malicious code. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.
Microsoft, in Redmond, Wash., has described the attacks as “limited in scope” and said it plans to ship a comprehensive browser fix on April 11.
The company is also mulling a plan to release an emergency, out-of-cycle update prior to next months Patch Tuesday.
In the absence of a Microsoft patch, two well-respected Internet security companies—eEye Digital Security and Determina—have released unofficial hotfixes to provide temporary protection for IE users.
Since the release of eEyes third-party patch on March 28, the company has counted more than 92,000 downloads.