A FOREX trading website has been contaminated with a malicious Java applet that is designed to install malware on the systems of visiting surfers.
The targeted website is a popular FOREX (foreign exchange market) website called "Trading Forex" (tradingforex.com). The website remains contaminated as of Thursday lunchtime according to Websense, the web security firm that detected the attack.
The Java applet planted on the website attempts to install a malicious executable written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and running on a victim's computer. This is an unusual approach.
Hackers intent on distributing malware through compromised websites often use pre-packaged tools, available through underground forums, most notably the widely used Blackhole Exploit kit.
Elad Sharf, senior security researcher at Websense, said it is unclear why the FOREX VXers have taken a different line of attack, although he has a few theories.
"We can only speculate why. One of the likely reasons is that the ‘Blackhole exploit kit’ costs money either to rent or to buy," Sharf told El Reg. "On the other hand, the attack vector that was used on that website can be created with tools that are available for free.
"It’s important to note that there was no exploit involved in this attack but rather a social engineering trick that requires the victim’s involvement - if successful it will allow a backdoor Trojan to run on the victim’s machine," he added.
Carl Leonard, senior security research manager EMEA at Websense, added. "This injection could deposit malware to the users of this site, possibly opening them up to data stealing. We're also seeing typosquatting being used here, perhaps ready for a future attack." ®