Computer security experts warned yesterday of another new Internet threat that can steal the passwords and account information of people who bank online -- the second such discovery in a week.
Users can pick up the latest bug, which doesn't yet have a name, from pop-up ads that secretly download software capable of capturing their keystrokes. The pop-ups originate at Web sites that receive their ads from certain online ad services, which apparently had themselves been hacked to spread the malicious code.
The bug targets users of Microsoft Corp.'s Internet Explorer browser. Experts said users can protect themselves from the bug by using a non-Microsoft Corp. browser or by using software to block pop-ups. Internet Explorer users are immune if they download and install a patch that was released in April. Internet Explorer users are also being advised to set the security setting for their browsers to "high," a level that makes it more difficult to interact with some Web sites.
Software on computers that pick up the bug will record the keystrokes of users who visit any of 50 targeted financial Web sites, security experts said. The bug apparently attempts to send the stolen information to a Web site based in Estonia.
The bug is not widespread; the first instance was reported Friday afternoon by the Internet Storm Center, a warning system established by an organization for computer security professionals called the SANS Institute. A director for the center said that only a few additional instances of the bug had been found by yesterday afternoon.
The bug appears to be unrelated to an Internet attack on Friday in which users could pick up malicious, keystroke-logging software merely by visiting infected Web sites. That attack also targeted users of financial services sites.
"I believe that this particular type of malware represents a huge threat to the online financial industry," wrote Tom Liston, a computer security expert who analyzed the latest exploit in a report released yesterday by the Internet Storm Center.
Where banks and online commerce sites use encrypted connections between a user's computer and the company's computer, this new strain of software records a user's keystrokes from outside the encrypted connection on a user's computer. In other words, users who make sure to look for the padlock on the bottom-right corner of Internet Explorer when they make transactions could still be vulnerable to theft if their computer is infected with this program.
But some computer security experts said that the nature of the threat means that future versions might also be more easily contained than traditional viruses, which push and multiply themselves aggressively across networks. The newest scheme can be stopped by cutting off Internet traffic to the Web site that collects the recorded information.
"Anything that requires a fixed address to do business is much easier to shut down," said David Perry, global director of information at Trend Micro Inc.
The bug was reported to the Internet Storm Center on Friday, by a "high-profile e-commerce site, a dot-com that you know the name of," said Marcus Sachs, director of the Internet Storm Center, who declined to identify the site by name. An employee had unwittingly downloaded the program, but his or her computer had not installed it because its browser security settings were set on the highest level.