Over 1,800 web injects are for sale on Russian cybercrime forums by a threat actor called InTheBox. These phishing windows are meant to steal credentials from banking, cryptocurrency exchange, and e-commerce apps by imitating widely-used software, and they are compatible with various Android banking malware. Mobile Banking Trojans usually choose an app that already exists on the infected device and then request from the Command & Control server the web inject for that specific app. When the app is launched by the user, the malware shows automatically the phishing page that replicates the real one but is meant to steal credentials and other important info. This variety of fake pages is part of the Phishing-as-a-service concept and allows cybercriminals to focus their work on other things, like malware development and bigger campaigns. Cyble researchers have found that InTheBox sells web injects for hundreds of apps that can be bought as a package, or individually, for $30. Hackers can also require a certain inject for any malware. 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for $6,512. 495 web injects compatible with Cerberus for $3,960. Those who buy the InTheBoxs web inject packages also get the apps icon as a PNG file, as well as an HTML file containing JavaScript code that captures the victims passwords and other sensitive information. Sometimes buyers can get also a second overlay meant to demand the credit card number, expiration date, and CVV from the victim. The stolen data is verified using the Luhn algorithm to sort out invalid credit card data. Only after that, the exfiltrated info is converted into string value to be sent to the cybercriminal launching the attack. InTheBox has been selling its Android malware web injections since February 2020, always coming up with new phishing pages.
This Cyber News was published on heimdalsecurity.com. Publication date: Thu, 02 Feb 2023 11:12:03 +0000