Slashdot Mirror

← Back to Stories (view on slashdot.org)

BBC Site Used as IE Attack Lure

Posted by ryuzaki0 on from the reads-good-enough-to-be-true dept.

capt turnpike writes "The hits just keep coming... according to eWEEK.com, someone is using actual excerpts of BBC news stories to 'launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.' One example is a story blurb masking the download and installation of a keylogger -- with no user interaction. And it doesn't even tell you it loves you."

28 of 83 comments (clear)

  1. How is this news? by Anonymous Coward · · Score: 3, Interesting

    So... they used BBC news as bait... WOW! It's not like they took over the BBC site and used it.

    1. Re:How is this news? by TommyBlack · · Score: 4, Funny
      WOW! It's not like they took over the BBC site and used it.
      No, of course not. I'm the one who did that.

      Click here to read an interesting BBC story about it
      --
      Why do my serious comments get modded "funny"?
  2. eWeek is retarded... by ninja_assault_kitten · · Score: 3, Insightful

    "The hits keep coming in..." Yeah, 1 every hour. The media wants to make this the most critical vulnerability that ever existed. What a joke.

  3. Erm, why is this a story? by baldass_newbie · · Score: 5, Insightful

    I mean, a known bug is exploited and it's using quoted text from the BBC site.
    If they do it again tomorrow with text from nytimes.com would that be another story?

    --
    The opposite of progress is congress
    1. Re:Erm, why is this a story? by bersl2 · · Score: 2, Funny

      They need to do it using eWeek.

    2. Re:Erm, why is this a story? by i_should_be_working · · Score: 4, Funny

      Maybe slashdot will be spoofed next. That will be a story. That could be the story. Emails that read:

      "Tech website Slashdot article links to vulnerability exploiting websites. Read more here"

      And whoever submits it to /. won't even have to rephrase it.

    3. Re: Erm, why is this a story? by Black+Parrot · · Score: 4, Funny

      > If they do it again tomorrow with text from nytimes.com would that be another story?

      And will it be safe to read about it at BBC?

      --
      Sheesh, evil *and* a jerk. -- Jade
    4. Re:Erm, why is this a story? by Firehed · · Score: 5, Funny

      Wouldn't this end up creating some sort of infinate dupe-loop and tear the fabric of space-time?

      --
      How are sites slashdotted when nobody reads TFAs?
    5. Re:Erm, why is this a story? by richdun · · Score: 4, Funny

      Possibly. It'd be the first exploit that required soul-sucking registration to activate it.

  4. Now I'm worried.... by Black+Copter+Control · · Score: 4, Funny
    From TFA:
    Click here to read more about drive-by attacks on the Internet Explorer vulnerability.
    And if I click there, just what do I get?

    (Times like this I'm glad that I use linux ... Until, of course, the next zero-day firefox hole, at which point I'll switch to konqueror or..).

    --
    OS Software is like love: The best way to make it grow is to give it away.
    1. Re:Now I'm worried.... by the-amazing-blob · · Score: 5, Funny
      And if I click there, just what do I get?
      I don't understand why everyone is so afraid of these things. They monitor us, keep track of us. The kind of thing a girlfriend would do if we had one. Think of keyloggers and the like as your new Girlfriend (beta 0.2, results may vary)
    2. Re:Now I'm worried.... by Mal-2 · · Score: 3, Funny

      > Think of keyloggers and the like as your new Girlfriend (beta 0.2, results may vary)

      I'm worried about the child processes that will be spawned...

      Mal-2

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  5. WOW! by jav1231 · · Score: 4, Funny

    An IE vulnerability! That's news!

  6. Fake URLS Suck! by Giant+Ape+Skeleton · · Score: 5, Funny

    According to This article, using bogus URL's to trick people is still the most effective social engineering trick in the book. Of course, that may not apply to those in the Slashdot community :p

    --
    The difference between stupidity and genius is that genius has its limits.
    1. Re:Fake URLS Suck! by MBCook · · Score: 5, Funny
      I clicked your link.

      It's an apache configuration page!
      I'M BEING HACKED!

      AAAAAAaaaaahhhhhh......

      I'd better call the FBI!

      --
      Comment forecast: Bits of genius surrounded by a sea of mediocrity.
    2. Re:Fake URLS Suck! by Anonymous Coward · · Score: 3, Funny

      woah, whoever maintains that site is one sick f*cker.

    3. Re:Fake URLS Suck! by jftitan · · Score: 3, Funny

      Tech Support : I'm sorry sir, but Apache is the name for the webserver software used to run your webpage.

      you:..... AHHHHHHHHHH

      Tech Support: You go right ahead and call the FBI and Police, I'll be sure to let them know about everything, right after I shoot off our transcribed converation to your local news agency.

      you: (what you say, next will make an interesting conversation)

      --
      "Don't Forget to Salt the Fries"
    4. Re:Fake URLS Suck! by Trogre · · Score: 2, Funny

      It's a known spammer's site.

      Better DDOS the bugger before it hurts anyone else.

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
    5. Re:Fake URLS Suck! by Doppleganger · · Score: 2, Funny

      Hey... that idiot uses the same root password I do! He's got loads of MP3s and warez here, I'm gonna download 'em all and then format his drive before he knows what hit him!

  7. How ironic, the full article has drive by links by rivj0r · · Score: 2, Interesting

    You'd have to be crazy to click on them while reading that article.

  8. My SITE HAS BEEN HIJACKED by Billly+Gates · · Score: 4, Funny

    MY name is James Taylor and I clicked on your link and then the web went down all by itself!

    It was taking over by a hostile native american terrorist organization called apache running on Gentoo gnu/linux. Damit hacker! I need to call the FBI over and sue you for this.

    --
    http://saveie6.com/
  9. Newsworthy? by Yomer333 · · Score: 3, Interesting

    Not really sure why this is even news. After a computer security competition last weekend, I had the chance to talk to professional security auditors, i.e. hackers. The reason I bring it up is that at one point, one of them said that "he had a web page he would like everyone to visit...with firefox." Needless to say, this scared the shit out of me. After pressing for more info of browser related exploits, he said that IE7 is suprisingly solid security-wise. Same goes for Vista, at least the parts of it that are finished (no more ldap). I shudder at the thought of IE pushers trying to convince people to switch away from firefox because it's not secure enough. I don't know, food for thought.

    1. Re:Newsworthy? by bunratty · · Score: 3, Informative

      Gosh. I'm glad you told me this. Now I'll know better and ignore all those warnings about extremely critical vulnerabilities in Internet Explorer from Secunia I keep seeing.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    2. Re:Newsworthy? by zcat_NZ · · Score: 3, Interesting

      What's the URL?

      I can name plenty of URL's that install drive-by spyware on MSIE (astalavista.box.sk, serials.ws). Go ahead and give me even one solitary URL that installs drive-by spyware through firefox. Just one! I promise I will visit it with firefox, and let you know the results.

      --
      455fe10422ca29c4933f95052b792ab2
  10. What harm in bundling the browser? by chill · · Score: 4, Insightful

    So, what harm is there in bundling the browser with the OS shipped on 90% of the retail PCs in the world? What harm is there in integrating the browser into the core of the operating system?

    Apparently, if you bundle a half-ass product where only lip service was paid to security, the cost is greater than anyone realizes. IE was crammed in there with the sole purpose of crushing Netscape and dominating the Internet market. It was rushed, with slipshod quality and security only as an afterthough -- and that only by the PR department.

    "Where do you want to go today?" seems to have found an answer... ...let's stop by your bank and credit card accounts on the way to an organized crime hangout and/or third-world country! Fun!

      -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
    1. Re:What harm in bundling the browser? by Tim+C · · Score: 2, Insightful

      It was rushed, with slipshod quality

      Maybe we're thinking of different versions of IE, but while I agree with your comments on security, I can't agree with that statement.

      I remember IE 3; it was no match for Netscape 3 in terms of features or stability. Compared to Netscape 4 it was laughable; Navigator shat all over it from a great height.

      Then IE 4 came out, and everything changed.

      IE 4 was far more stable, faster and had more features. As an example, when resizing the window, Netscape had to rerequest the page from the server; IE did not. Netscape crashed on average a couple of times a day for me, both under Windows and Linux. When Mozilla development started and they published their set of browser torture tests, I distinctly remember one page that featured a lot of deeply nested tables. IE (5?) rendered it in a handful of seconds; Netscape 4 took over a minute.

      Now don't get me wrong, I have never and likely never will use IE as my primary browser. I went straight from Netscape 4 to one of the milestone builds of Mozilla (and currently use Firefox). Despite all the issues with Netscape 4 (instability, incresing number of sites that didn't work with it, etc) I simply could not bring myself to use IE. Even now, the only time I use IE is when I have to, if a site doesn't work in Firefox (generally my fault these days due to an over-zealous Adblock config) or if I have to for a site I'm working on at work. I'm no IE fan-boy; quite the opposite in fact, I can't stand it.

      However, saying that IE was of "slipshod quality" is disingenuous at best. Yes, modern browsers are superior to IE 6 in almost every regard, but at the time that IE was being integrated into Windows, it had little or no competition.

      let's stop by your bank and credit card accounts on the way to an organized crime hangout and/or third-world country! Fun!

      What's wrong with surfing a site in a third-world country?

      --
      It's official. Most of you are morons.
  11. April 11??? by Black+Copter+Control · · Score: 2, Insightful
    So Microsoft is planning to release a patch for this zero-day drive-by attack on April 11.....

    Hackers Thank God for Microsoft Marketing Policy.

    The policy may be designed to make life easier on sysadmins (or, at least, their managers), but it also makes life easier on hackers. I mean, if I had a zero day exploit, I'd start using it on patch day. That way I'd probably have a full month to exploit it before Microsoft released their scheduled patch.

    Scheduled monthly patches are fine for non-critical issues, but when you have zero-day drive-by exploits like this, you've got to have a policy that puts user security ahead of marketing hype. Waiting until you have a full-fledged epidemic is not the way to secure your user's future.

    --
    OS Software is like love: The best way to make it grow is to give it away.
  12. Re:Firefox, anyone? by sremick · · Score: 2

    Fear of change, basically. The more Microsoft bundles with the OS, the more conditioned vendors are to not bundle or support 3rd-party apps. There is such an entrenched mindset and culture of IE-use and support that, despite the very real possibility that "something else" might be BETTER and cost LESS to support, they're too-scared to try to retrain their techs and reprint the support manuals, scripts, and flowcharts.

    You tell a support tech you're using anything other than IE and he'll throw his hands up and try to close the call. It's not in his scripts and you've just fucked up his average call time.

    The mentality is that it's more-efficient to support one and only one thing, even if that "one thing" is the worst choice, and results in exponentially-more work in the long-run. It's not like they CAN'T support IE at all, since MS bundles it, and most people are just going to use it. So they're stuck.

    Besides, then what would be the incentive to sell everyone copies of Norton Security Suite? That's a lucrative market. As is charging $100/call to walk a user through running Ad-Aware.