BBC used as lure for unpatched IE exploit
Snippets of BBC news stories are being used to lure Internet users into installing a damaging Trojan on their computer it has emerged. Emails containing the ‘news’ stories end with an invitation to ‘read more’, which takes the reader to a malicious website and installs software to monitor their visits to banking websites and other financial institutions.
The keylogger Trojan exploits the unpatched ‘Create TextRange’ flaw in Internet Explorer which has been rated as ‘highly critical’ by security firm Secunia.
People who receive the spam emails purporting to be BBC news are warned not to follow the links. ‘We have had people creating spoof pages of our site before,’ commented Steve Herrmann, editor of the BBC News website. ‘But using them in this way to attack people’s online security is particularly troubling to us and a cause for serious concern.’
Microsoft has announced that it plans to patch the vulnerability in the next security update due on 11 April. However, with all versions of Internet Explorer from Windows 2000 onwards – including the latest Internet Explorer 7 beta – vulnerable to the exploit, cyber criminals are clearly rushing to make hay while the security gap remains open.