Skip to main content
BBC NEWS / TECHNOLOGY
Graphics VersionBBC Sport Home
News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia | UK | Business | Health | Science & Environment | Technology | Entertainment | Also in the news | Have Your Say |
Friday, 31 March 2006, 10:23 GMT 11:23 UK

BBC used to entice cyber victims

Computer user People are being warned about spam e-mails containing BBC News stories designed to trick them into visiting malicious websites.

Cyber criminals are using the messages to exploit a recently discovered flaw in Microsoft's Internet Explorer.

If users click on the link, they are taken to a fake website that installs a piece of software that can monitor online financial activity.

People who receive the e-mails are advised to not follow the link.

The alert, from security firm Websense, comes less than a week after security firms found three flaws in the popular browser.

Spoof sites

The new threat takes advantage of one of these vulnerabilities.

The fake e-mails entice readers with excerpts from current BBC news stories and include a link to "Read More".

When the user clicks on the link they are directed to a spoofed BBC news website that installs a piece of software known as a keylogger.

"We have had people creating spoof pages of our site before "
Steve Herrmann, BBC News website editor

"The keylogger monitors activity on various financial websites and uploads captured information back to the attacker," said the Websense alert.

Other websites known to exploit the bug can install spyware and Trojan horses on unprotected computers.

Using global brands like the BBC to lure people to malicious websites is common practice according to Mark Murtagh, technical director of Websense.

"We saw a similar approach last year after Hurricane Katrina with e-mails sending requests for help purportedly from the Red Cross," he told the BBC News website. "We are also already seeing the World Cup brand being used in the same way".

Taking down sites

This is not the first time the BBC's name has been used by malicious hackers.

"We have had people creating spoof pages of our site before," said Steve Herrmann, editor of the BBC News website.

"But using them in this way to attack people's online security is particularly troubling to us and a cause for serious concern."

Security firms say hundreds of web links are trying to catch people out using the loophole.

On Microsoft's security blog, the company said it had been very active in working with the law enforcement to take down malicious websites.

Microsoft said it would produce patches for the vulnerabilities in its next security update due on 11 April.

However these could be released earlier if the threat grows significantly. For now, two firms, eEye Digital Security and Determina, have separately produced software patches that close this loophole.



E-mail this to a friend
Related to this story:
Bad web browser bug gets patched (29 Mar 06 |  Technology )
Microsoft warns on browser bugs (27 Mar 06 |  Technology )
European phishing gangs targeted (20 Mar 06 |  Technology )
Microsoft tackles security rivals (09 Feb 06 |  Technology )
'Limited' damage from Nyxem virus (03 Feb 06 |  Technology )
New year brings fresh security fears (27 Jan 06 |  Technology )

RELATED INTERNET LINKS:
Websense
Microsoft Security Response Center blog
Microsoft Security Bulletins
eEye on CreateTextRange bug
Determina on CreateTextRange bug
The BBC is not responsible for the content of external internet sites


SEARCH BBC NEWS: 
News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia | UK | Business | Health | Science & Environment | Technology | Entertainment | Also in the news | Have Your Say |

NewsWatch | Notes | Contact us | About BBC News | Profiles | History

^ Back to top | BBC Sport Home | BBC Homepage | Contact us | Help | ©