Crooks inject malicious Java applet into FOREX trading website
VXers wouldn't give a XXXX for anything else
A FOREX trading website has been contaminated with a malicious Java applet that is designed to install malware on the systems of visiting surfers.
The targeted website is a popular FOREX (foreign exchange market) website called "Trading Forex" (tradingforex.com). The website remains contaminated as of Thursday lunchtime according to Websense, the web security firm that detected the attack.
The Java applet planted on the website attempts to install a malicious executable written in Visual Basic.Net and requires the Microsoft's .NET framework to be successfully installed and running on a victim's computer. This is an unusual approach.
Hackers intent on distributing malware through compromised websites often use pre-packaged tools, available through underground forums, most notably the widely used Blackhole Exploit kit.
Elad Sharf, senior security researcher at Websense, said it is unclear why the FOREX VXers have taken a different line of attack, although he has a few theories.
"We can only speculate why. One of the likely reasons is that the ‘Blackhole exploit kit’ costs money either to rent or to buy," Sharf told El Reg. "On the other hand, the attack vector that was used on that website can be created with tools that are available for free.
"It’s important to note that there was no exploit involved in this attack but rather a social engineering trick that requires the victim’s involvement - if successful it will allow a backdoor Trojan to run on the victim’s machine," he added.
Carl Leonard, senior security research manager EMEA at Websense, added. "This injection could deposit malware to the users of this site, possibly opening them up to data stealing. We're also seeing typosquatting being used here, perhaps ready for a future attack." ®
For a moment
I thought they had hacked the FourEcks trading site (operated from Didjabringabeeralong no doubt (or was that Bugarup))
Re: For a moment
No worries, mate, she'll be alright...
apache on win32
The first time I see "Apache(Win32)" in the webserver's token. The question is how did the website get compromised.?
It identifies itself as "Apache/2.2.22 (Win32) PHP/5.4.5" .So one would only guess poorly designed php scripts, or the good ol' malware friendly Microsoft OS (0-day?), or that the hacker is a part time admin of the said website, or the use of "passw0rd" as the strong admin password. Could it be all four?