MalwareHunterTeam said the malware they discovered on the BSF website – called SocketPlayer – had not been seen anywhere else earlier

An official website of the Border Security Force was discovered to be hosting files infected with malware. The website bsf.gov.in is currently offline, and a BSF spokesperson told TOI that the website has been under security audit for little over a month now.

An Indian security expert found the malware files capable of sending fake emails pretending to be from Mumbai’s United Services Club, which serves military officers and eminent citizens. The paramilitary force’s other website bsf.nic.in was functioning normally on Saturday. The malware issue became public knowledge after MalwareHunterTeam, a globally-diffused team of security professionals and researchers who diagnose malware on infected files, tweeted about it on Friday.

A UK-based security researcher, Bryan Cambell, also ran a check on bsf.gov.in and tweeted that the website had “numerous malware” and “multiple vulnerabilities.”

A BSF spokesperson told TOI that the organisation’s teams were aware of the issues. “Thse website has been under security audit for the last 30-40 days. Concerned officials are comprehensively studying various elements of the website and why they were behaving in a certain manner,” he said.

MalwareHunterTeam said the malware they discovered on the BSF website – called SocketPlayer – had not been seen anywhere else earlier. “Currently, every single SocketPlayer sample we know of are either seen on BSF's website, or they are samples that were downloaded by the samples seen there,” they tweeted from their handle @malwrhunterteam.

Mumbai-based security professional Yash Kadakia analysed the way the malware works.

“From an initial look, it appears that once downloaded, these infected files work by accessing a person’s contact lists through a mail client like Outlook to send out emails pretending to be from the United Services Club in Mumbai. The email then triggers another malware which can remotely access one’s system from attacker controlled servers in Germany and the USA,” Kadakia told TOI over phone.