Malicious software plays on legal fears

Hackers are trying to play on business' fear of legal action from customers to trick them into downloading a harmful program distributed through e-mail.

The e-mails purport to come from the Better Business Bureau Inc., an organization that monitors and arbitrates disputes between consumers and businesses in the U.S. and Canada. The e-mails assert that a customer lodged a complaint against the recipient's business, according to a warning on the Web site of Websense Inc., a security vendor.

The e-mails contain a Microsoft Word attachment with the text of the supposed complaint and instructions for how to respond. But embedded in that document is a keylogging program that captures data on the victim's computer and then uploads it to a server in Malaysia.

The keylogger is purposely mislabeled with a ".pdf" extension -- Portable Document Format -- another widely used document format, to make it look harmless, said Henry Gonzalez, Websense's senior security researcher.

The trick is another variation of so-called "social engineering" methods used by hackers, which entice users to unknowingly install harmful programs on their computers.

A Better Business Bureau branch warned of a similar kind of attack in February. At that time, the e-mails contained hyperlinks to malicious Web sites. Some kinds of malicious software can be installed on a user's computer merely by viewing a site engineered to exploit a vulnerability within a Web browser.

The latest attack, using the Word document as the delivery vehicle for the malicious software, is a tactic hackers are increasingly employing.

IDG News Service

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine