[teraflop]

The funny thing is, this particular attack doesn't even involve a Java vulnerability. You have to either specifically grant the applet elevated permissions (giving it full access to your computer) or download and run something that claims to be a "Java updater" from the "g2f.nl" domain.

[tocomment]

What I'm not getting is how a running executable can log into a website and initiate a transaction. It won't have your password right? Or is it just a keylogger to catch your password?

[dariopy]

Like your regular XSRF, it relies on the user already being logged in some browser tab.

It probabley has a keylogger too.

[chii]

the lesson is that the weakest link in a computer system is the human.