IBM Trusteer researchers have long been writing about the evolving underground market for webinjects.

Our team recently discovered a new development: Criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by TrendMicro researchers.

Webinject Sales

In our earlier posts, we discussed the various approaches criminals have taken to sell webinjects. Initially, they used malware-based pricing, a model in which webinjects are developed for specific malware platforms such as Zeus and SpyEye and are priced per platform. Certain platforms commanded a higher price for webinjects.

This pricing system was followed by bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinject costs were determined by the geographic location of the target they were designed to attack. Next in line came production cost pricing, where sellers offered cheaper, premade webinjects and charged a premium for custom-made webinjects.

How Much Do These Cost?

The new pricing strategy we discovered for webinjects is based on the specific features requested and the user information they are designed to steal. In one advertisement we came across, the criminal offers to develop webinjects for any malware platform (e.g., SpyEye, Zeus and Ice IX) and target specified by the buyer. The following is the price list for individual webinject features that can be purchased:

  • Balance Grabber Captures the victim’s balance information and sends it to the fraudster’s command and control server. Price: $50-$100.
  • Balance Replacer Updates the “actual” balance in an online banking application’s balance page to hide the fraudulent transaction amount. This prevents the victim from realizing that fraud has taken place until he or she receives a paper statement, goes to an ATM or checks his or her balance via phone banking. Price: $200-$300.
  • TAN Grabber: Captures one-time passwords that are used by some banks to authorize online banking transactions. Price: $150-$200.
  • Additional Passwords: This mechanism requests additional passwords from a victim. Price: $100-$200.
  • Alerting: This feature sends various notifications to the malware’s administration panel and Jabber instant messenger client in real time. Price: $100-$200.
  • AZ (Dubbed “Avtozaliv“): This capability, also known as ATS, provides all the components needed to conduct automated and unattended online banking fraud; specifically, it can bypass two-factor authentication, initiate a transfer and update the account balance to hide the fraud. Price: $1,500-$2,000.

Webinjects’ Growing Reach

The advertisement also included videos that demonstrate webinjects developed to attack Italian, Spanish and German banks. This latest development in webinject marketing illustrates how the underground marketplace is following traditional software industry pricing schemes by offering à la carte and complete “suite” pricing options.

Unfortunately, buying high-quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud. Criminals are no longer bound by rigid malware configurations designed to conduct specific exploits at specific institutions. Cyber criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And, according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is that fraudsters will find the ones that succeed.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…