Latest Web Scam Uses BBC News as Bait Tim Willert, newsfactor.com Fri Mar 31, 7:00 PM ET Bogus e-mails containing real BBC News stories are tricking PC users into visiting a fake Web site that installs password-stealing software onto their computers. The e-mails are exploiting a newly discovered flaw in Microsoft's Internet Explorer browser, according to Websense Security Labs, a San Diego-based company that uncovered the problem on Thursday. The messages outlined in the alert contain excerpts from actual BBC stories and provide a link to "Read More." Users who click on the link are taken to a site that features a full copy of the BBC story from the e-mail. But accessing the Web site triggers the installation of a keylogger, a type of program that monitors keystrokes to steal private information. People who have unwittingly downloaded a keylogger might type in their user names, passwords, and credit card numbers, as usual, unaware that the spyware is sending this information back to a criminal. "This is a pretty important discovery because there could be a lot of people who could be affected by it," said Ronnie Manning, a Websense spokesperson. It was unclear late Friday how many computers had been compromised by the e-mail scam. Spoof Pages Both Microsoft and the BBC advised people not to follow the link. "We have had people creating spoof pages of our site before," Steve Herrmann, editor of the BBC News Web site, said Friday in a published statement. "But using them in this way to attack people's online security is particularly troubling to us and a cause for serious concern." The latest alert comes on the heels of other reports detailing vulnerabilities in Internet Explorer 6. Last week, Microsoft and security authorities warned of a critical, unpatched script vulnerability in the browser that could allow a hacker to take complete control of a Windows PC. Microsoft said it continues to monitor the problems with the help of law enforcement, and is completing development of a cumulative security update for Internet Explorer that is scheduled to be released on April 11. While the flaw related to the BBC news scam remains unpatched, security vendor eEye Digital Security has created a temporary patch for the script vulnerability. Microsoft has not certified the eEye patch, and the security firm is calling its fix a stopgap until the official patch is released. "In fact, eEye has engineered the patch to automatically remove itself when Microsoft's official patch comes through," said Marc Maiffret, eEye's cofounder and chief hacking officer. Browser Bummers Microsoft's custom is to release all security patches on the second Tuesday of every month. That means that PC users have to wait if a so-called "zero day" vulnerability -- a problem for which there is no available patch -- hits. In response to feedback from customers requesting a better way to alert Microsoft to problems, the software giant has created an online database to collect information on potential bugs found in the beta version of Internet Explorer 7. Paul Stamp, an analyst at the consulting company Forrester Research, said that given the ongoing problems associated with Internet Explorer, Microsoft needs a forum for user feedback. "Browsers are so complex now that there are more bases to cover," Stamp said. "And because Microsoft went years before taking a proactive approach to Explorer bugs, there will be more flaws cropping up." While the database will not help solve current issues associated with Internet Explorer 6, it represents another step in Microsoft's efforts to improve the security of its software.