June 26, 2012 By Amit Klein 2 min read

IBM Trusteer researchers have long been writing about the evolving underground market for webinjects.

Our team recently discovered a new development: Criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by TrendMicro researchers.

Webinject Sales

In our earlier posts, we discussed the various approaches criminals have taken to sell webinjects. Initially, they used malware-based pricing, a model in which webinjects are developed for specific malware platforms such as Zeus and SpyEye and are priced per platform. Certain platforms commanded a higher price for webinjects.

This pricing system was followed by bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinject costs were determined by the geographic location of the target they were designed to attack. Next in line came production cost pricing, where sellers offered cheaper, premade webinjects and charged a premium for custom-made webinjects.

How Much Do These Cost?

The new pricing strategy we discovered for webinjects is based on the specific features requested and the user information they are designed to steal. In one advertisement we came across, the criminal offers to develop webinjects for any malware platform (e.g., SpyEye, Zeus and Ice IX) and target specified by the buyer. The following is the price list for individual webinject features that can be purchased:

  • Balance Grabber Captures the victim’s balance information and sends it to the fraudster’s command and control server. Price: $50-$100.
  • Balance Replacer Updates the “actual” balance in an online banking application’s balance page to hide the fraudulent transaction amount. This prevents the victim from realizing that fraud has taken place until he or she receives a paper statement, goes to an ATM or checks his or her balance via phone banking. Price: $200-$300.
  • TAN Grabber: Captures one-time passwords that are used by some banks to authorize online banking transactions. Price: $150-$200.
  • Additional Passwords: This mechanism requests additional passwords from a victim. Price: $100-$200.
  • Alerting: This feature sends various notifications to the malware’s administration panel and Jabber instant messenger client in real time. Price: $100-$200.
  • AZ (Dubbed “Avtozaliv“): This capability, also known as ATS, provides all the components needed to conduct automated and unattended online banking fraud; specifically, it can bypass two-factor authentication, initiate a transfer and update the account balance to hide the fraud. Price: $1,500-$2,000.

Webinjects’ Growing Reach

The advertisement also included videos that demonstrate webinjects developed to attack Italian, Spanish and German banks. This latest development in webinject marketing illustrates how the underground marketplace is following traditional software industry pricing schemes by offering à la carte and complete “suite” pricing options.

Unfortunately, buying high-quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud. Criminals are no longer bound by rigid malware configurations designed to conduct specific exploits at specific institutions. Cyber criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And, according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is that fraudsters will find the ones that succeed.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today