 |
|
| CURRENT SECTION :: TechZone | UK's most visited IT Contractor Site - 250k unique visitors March 2008 |
|
 |
BBC news articles are being hijacked by cyber criminals so they can trick headline readers into running malicious code on their personal computers. Infected PCs result from clicking on the ‘Read More’ link at the bottom of the sent e-mail, typically spam, that carries headlines appearing to be sent from the news front-page. Users who follow the link are taken to a spoof version of the news article, potentially enabling the sender to install a key logger and take control of the user’s system. By changing settings to ‘read e-mail in plaintext’ users can prevent the hoax site exploiting what Microsoft identified as the ‘createTextRange’ vulnerability in IE. The software maker said its security teams are “working day and night” to develop an update for a “serious” attack that was in the wild, yet “limited in scope.” It added it was “unaware of a practical solution to the problem” but issued sensible computing tips ahead of the anticipated fix, scheduled for April 11. “Home users and businesses need to exercise caution here,” said Carole Theriault, senior security consultant at Sophos. "Users without any additional security measures, such as firewall and anti-virus software, and users who surf the web and open emails and without care, are at much higher risk that those who practice safe computing.” Security experts at Websense hinted the BBC may not be the only big name hijacked, by warning any website specifically crafted to exploit the text range vulnerability is a potential threat. “The websites are intended to exploit the vulnerability, which in turn runs shell code that downloads an SDbot variant. The SDbot variant takes several actions, then connects to an IRC server to await further commands,” the firm said in an online advisory. Last month, HM Revenue and Customs was the latest in a long line of organisations to fall victim to social engineering tactics – the process where hackers manipulate human tendencies for their own ends. Microsoft explained, “An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. “It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.” Steve Hermann, BBC News editor, said the corporation had been hit before by cyber criminals, yet the previous attack had not involved hundreds of spoofed BBC URLs. “We have had people creating spoof pages of our site before," Herrmann said, writing on the news website. “But using them in this way to attack people's online security is particularly troubling to us and a cause for serious concern.” Since his comments, eEye Digital security has issued a temporary patch for the flaw. In an advisory, it warned users who access BBC headlines via spam e-mail risk handing over the ‘rights of the currently logged on user’ to the malicious party. It added, “System administrators should be careful to not use Administrator accounts for general system use. Currently, there have been numerous reports of this vulnerability being used on various Websites in attempts to install spyware and remote control ‘bot’ software for use in Distributed Denial of Service attacks.” Apr 3, 2006 Email this article Printer friendly page Previous Page
|
|
 |
||||||||||||||||||||||||
| All content © Contractor UK Limited | [Register for News Letter] | [Privacy Statement] | [Terms of Use] | [Top of Page] |