The ongoing zero-day attacks against users of Microsoft’s Internet Explorer browser have taken an ominous, social-engineering twist.
According to an alert issued by Websense Security Labs, in San Diego, excerpts from actual BBC News stories are being used to lure IE users to Web sites that launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
One version of the spammed e-mail seen by eWEEK contains a portion of a BBC News item published on March 27 about the Chinese yuan hitting a post-revaluation high against the U.S. dollar.
After the legitimate excerpt, the hackers embedded a “read more” link that points to a Web site that contains a spoofed copy of the BBC News story from the e-mail.
Websense researchers found that the rigged site exploits the unpatched createTextRange vulnerability to download and install a keystroke logger without any user action.