Bespoke 'web-inject' software-for-sale threatens bank chaos

Cyber criminals are offering low priced and customisable ‘web-injects’ for malware, which a security expert warns could wreak havoc with banks.

An evolving underworld market for malware has shifted to start offering more targeted and often bespoke updates to commonly found malware like Zeus and SpyEye.

Known as web-injects, they are generally used to create fake web pages which pop up when a victim infected with malware uses online banking or makes a transaction.

Just like any market, that of malware and web-injects is subject to changes, and Trusteer has found that, while bulk pricing has been popular in the past, web-inject software writers are producing code with specific features.

For example, the webinjects that Trusteer has uncovered as available for purchase include the Balance Grabber, which captures balance information and sends that data back to the malware command and control server. This will set back cyber criminals between $50 to $100.

A Balance Replacer can update the balance to hide the fraudulent transaction taking place – costing between $200 – $300.

The Additional Passwords mechanism asks for more passwords from a victim, costing up to $200, while the TAN Grabber can capture one-time passwords that are sometimes used by some banks to authorise online transactions.

According to Trusteer, cyber criminals are essentially aping traditional software vendors, offering an a la carte suite of pricing options.

While the move away from bulk buying to tailor made web-injects means more cost, the customised software is also becoming more readily available – and cheaper.

This greater availability and improved ability to narrow attack areas is threatening to cause upheaval with financial defences.

According to George Tubin, Senior Security Analyst with Trusteer, many banks could find themselves at considerably greater risk than before.

“It is very concerning for a lot of banks which maybe haven’t been targeted before,” he said, speaking with TechEye. “Typically the malware will target larger institutions.”

“Now you can target almost any bank you want, you could target banks that previously haven’t been target,” he said. “These are often the ones that don’t have as good defences in places.”

Big high street banks tend to have very sophisticated fraud protection capabilities in place, so they are harder to attack, but many are not prepared for the kinds of targeted attacks they could come under.

“Criminals can now say which attack they want to use for each institution,” Tubin said.  “It definitely makes things more difficult for the financial institution.   This opens up the market for criminals.”

“They can go for institutions that aren’t as well protected and prepared for these types of attacks,” he said. “It could be just a matter of time, and it could be disastrous.”

It is the banks and the customers who must take preventative measures, as it is extremely difficult to police web-inject sales, even if they do appear to be sold openly on forums.

Policing is an ongoing battle. A lot of the players in this market are in geographies which are difficult to get to and police.  

“It is difficult to go after them, so they are relatively safe,” Tubin said.