Web Attacks Target Foreign Exchange, Payment Processing Sites

A currency trading web site was compromised and used to serve malicious java applications to unwitting visitors, according to researchers at the security firm Websense- part of what might be a larger trend.

Websense said in a blog post on Wednesday that the site tradingforex.com, which is used by foreign currency traders, was infected with a malicious Java applet that, when installed, key logging and screen capture software.

Websense warns that the online currency trading site tradingforex.com was serving malware – part of a pattern of attacks against smaller financial web sites.

Tradingforex.com (@Tradingforexxx) is a Cyprus-based online trading web site. It allows individuals to trade on the global foreign exchange market (or Forex). Users can trade everything from foreign currencies to precious metals, commodities and other financial instruments.

According to an investigation by Websense researcher Gianluca Giuliani, the site was pushing a back door program to visitors using a malicious Java plugin to exploit known Java vulnerabilities on the victims’ computers.

Further investigation by Websense and Giuliani revealed that the malware being pushed through tradingforex.com was linked to another malicious typo-squatting website, targeting users of the online currency site libertyreserve.com.  URLs to a phishing site for libertyreserve.com were found within the malicious Java applet that tradingforex was distributing, Websense said.

Giuliani said that details of the attack made it easy to spot and should have raised red flags with tradingforex users. For one: the malware was written in Visual Basic.Net and would require victims to have Microsoft’s .NET framework installed in order to work on victims’ computers. The installer itself was signed with an expired certificate – which would have tipped off security software on the endpoint or in the browser. Finally,  the victim would have had to give permission to install the malicious attachment, 123.exe.

Prominent attacks against U.S. and European banks have made headlines in recent weeks, as unknown attackers used denial of service attacks to bring down web sites used by Wells Fargo, JPMorgan Chase, Capital One Financial, BB&T and others.  Those attacks are believed to have been politically motivated (politicians and some security experts have fingered Iran as the instigator), but most such attacks have a financial- rather than political or ideological motive. Banking trojans such Zeus are commonly installed on victims’ computers and then programmed to capture user keystrokes and other activity when they visit bank web sites. That information is then used to compromise those accounts and transfer money to accounts controlled by the attackers.

The attacks on tradingforex.com and libertyreserve.com suggest that cyber criminals may be moving downstream from banks and more prominent exchanges and online currency systems (like Paypal) to sites that may be “easier wins,” Giuliani wrote. Smaller sites  “are likely to be less mature from a security perspective.”


One Comment

  1. First of all I would like to say terrific blog!
    I had a quick question which I’d like to ask if you don’t mind.
    I was interested to find out how you center yourself and clear your head before writing.

    I have had a hard time clearing my mind in getting
    my thoughts out there. I truly do take pleasure in writing
    but it just seems like the first 10 to 15 minutes are
    generally wasted just trying to figure out how to begin.

    Any suggestions or hints? Many thanks!