A currency trading web site was compromised and used to serve malicious java applications to unwitting visitors, according to researchers at the security firm Websense- part of what might be a larger trend.
Websense said in a blog post on Wednesday that the site tradingforex.com, which is used by foreign currency traders, was infected with a malicious Java applet that, when installed, key logging and screen capture software.
Tradingforex.com (@Tradingforexxx) is a Cyprus-based online trading web site. It allows individuals to trade on the global foreign exchange market (or Forex). Users can trade everything from foreign currencies to precious metals, commodities and other financial instruments.
According to an investigation by Websense researcher Gianluca Giuliani, the site was pushing a back door program to visitors using a malicious Java plugin to exploit known Java vulnerabilities on the victims’ computers.
Further investigation by Websense and Giuliani revealed that the malware being pushed through tradingforex.com was linked to another malicious typo-squatting website, targeting users of the online currency site libertyreserve.com. URLs to a phishing site for libertyreserve.com were found within the malicious Java applet that tradingforex was distributing, Websense said.
Giuliani said that details of the attack made it easy to spot and should have raised red flags with tradingforex users. For one: the malware was written in Visual Basic.Net and would require victims to have Microsoft’s .NET framework installed in order to work on victims’ computers. The installer itself was signed with an expired certificate – which would have tipped off security software on the endpoint or in the browser. Finally, the victim would have had to give permission to install the malicious attachment, 123.exe.
Prominent attacks against U.S. and European banks have made headlines in recent weeks, as unknown attackers used denial of service attacks to bring down web sites used by Wells Fargo, JPMorgan Chase, Capital One Financial, BB&T and others. Those attacks are believed to have been politically motivated (politicians and some security experts have fingered Iran as the instigator), but most such attacks have a financial- rather than political or ideological motive. Banking trojans such Zeus are commonly installed on victims’ computers and then programmed to capture user keystrokes and other activity when they visit bank web sites. That information is then used to compromise those accounts and transfer money to accounts controlled by the attackers.
The attacks on tradingforex.com and libertyreserve.com suggest that cyber criminals may be moving downstream from banks and more prominent exchanges and online currency systems (like Paypal) to sites that may be “easier wins,” Giuliani wrote. Smaller sites “are likely to be less mature from a security perspective.”