Malicious software plays on legal fears

Hackers are trying to play on business' fear of legal action from customers to trick them into downloading a harmful program distributed through e-mail.

The e-mails purport to come from the Better Business Bureau, an organization that monitors and arbitrates disputes between consumers and businesses in the U.S. and Canada. The e-mails assert that a customer lodged a complaint against the recipient's business, according to a warning on the Web site of Websense, a security vendor.

The e-mails contain a Microsoft Word attachment with the text of the supposed complaint and instructions for how to respond. But embedded in that document is a keylogging program that captures data on the victim's computer and then uploads it to a server in Malaysia.

The keylogger is purposely mislabeled with a ".pdf" extension -- Portable Document Format -- another widely used document format, to make it look harmless, said Henry Gonzalez, Websense's senior security researcher.

The trick is another variation of so-called "social engineering" methods used by hackers, which entice users to unknowingly install harmful programs on their computers.

A Better Business Bureau branch warned of a similar kind of attack in February. At that time, the e-mails contained hyperlinks to malicious Web sites. Some kinds of malicious software can be installed on a user's computer merely by viewing a site engineered to exploit a vulnerability within a Web browser.

The latest attack, using the Word document as the delivery vehicle for the malicious software, is a tactic hackers are increasingly employing.