Below is a media alert by from Klein, Trusteer's CTO on new research which has found that cybercriminals have been busy developing webinjects for Zeus and SpyEye to orchestrate and develop malevolent attacks against certain brands, the full details are below but here is a quick summary:
Webinjects are malware configuration directives that are used to inject rogue content in the web pages of bank websites to steal confidential information from the institution’s customers.
Webinjects are actually being offered for sale on many open internet forums and developers are earning a decent income from selling the Zeus/SpyEye webinjects service to an increasingly diverse customer base.
From the advertisements we’ve seen there are multiple targets, including British, Canadian, American, and German banks.
Worryingly the prices are pretty reasonable. According to the website advertisements:
- One webinject pack $60
- UK webinject pack $800
- US webinject pack $740
- Updating / modification of webinjects $20 each
On one of the forums Trusteer even found an advertisement, for the large pack of webinjects (19mb), being sold for just $15-$20.
According to Amit Klein, Trusteer's CTO cybercriminals have been busy developing webinjects for Zeus and Spyeye to orchestrate and develop malevolent attacks against certain brands. Webinjects are malware configuration directives that are used to inject rogue content in the web pages of bank websites to steal confidential information from the institution’s customers. And it’s not a contained problem as Tanya Shafir from Trusteer’s research team has discovered that these webinjects are actually being offered for sale on many open internet forums!
Tanya’s investigations reveal that these shrewd developers are earning a decent income from selling the Zeus/Spyeye webinjects service to an increasingly diverse customer base. The really interesting element is that they’re not too bothered whether the customer has the skills to use it. In fact, they’d probably prefer they didn’t, as the developers have gone to the trouble of obfuscating the Zeus/Spyeye webinjects, not because they want to confuse malware researchers, but to try and prevent piracy of their software!
Amit Klein said, “That means, ironically, that these criminals are actually taking steps to protect their own intellectual property. I suppose they have to do something as they can’t resort to litigation.”
Since webinjects can’t be modified by the customer, if they need localization for a specific country and language, this can only be carried out by the developers. Who are only too willing for a price:
However, resale is rife. Those that have purchased a copy of webinject are openly reselling their version to anyone wanting to steal the same information from victims:
Klein continued, “From the advertisements we’ve seen there are multiple targets, including British, Canadian, American, and German banks.”
The prospective customer can see a detailed description of the type of information that can be stolen from each brand, almost like ordering from a catalogue.
Worryingly the prices are pretty reasonable. According to the website advertisements:
- One webinject pack ............................................ 60 WMZ/LR.
- UK webinject pack............................................... 800 WMZ/LR
- US webinject pack .............................................. 740 WMZ/LR.
- Updating / modification of webinjects.................. 20 LR each.
These prices are in Webmoney/Liberty Reserve units (1 WMZ/LR is equivalent to 1 USD)
On one of the forums we even found an advertisement, for the large pack of webinjects (19mb), being sold for just 15-20$.
Klein concluded, “So, anyone with malevolent intentions and a bit of spare cash, can bag themselves a bargain!”