Heimdal
Home > Cybersecurity News

InTheBox Threat Actor Sells Over 1,800 Web Injects on Cybercrime Forums

The Web Injects Are Targeting Android Banking Apps.

Last updated on February 2, 2023

article featured image

Contents:

1,894 web injects (overlays of phishing windows) are for sale on Russian cybercrime forums. The threat actor that advertises them, called InTheBox, offers affordable deals and prices.

The phishing windows are meant to steal credentials from banking, cryptocurrency exchange, and e-commerce apps imitating widely-used software, and they are compatible with various Android banking malware.

How Web Injects Change the Game

Mobile Banking Trojans usually choose an app that already exists on the infected device and then request from the Command & Control server the web inject for that specific app. When the app is launched by the user, the malware shows automatically the phishing page that replicates the real one but is meant to steal credentials and other important info.

Such a variety of fake pages is part of the Phishing-as-a-service concept and allows cybercriminals to focus their work on other things, like malware development and bigger campaigns.

Cyble researchers show that InTheBox sells web injects for hundreds of apps that can be bought as a package, or individually, for $30. Hackers can also require a certain inject for any malware.

As of January 2023 InTheBox lists the following web inject packages, updated as recently as October 2022:

  • 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for $6,512
  • 495 web injects compatible with Cerberus for $3,960
  • 585 web injects compatible with Hydra for $4,680

Source

InTheBox’s Web Injects

Threat actors that buy the InTheBox’s web inject packages also get the app’s icon as a PNG file, as well as an HTML file containing JavaScript code that captures the victim’s passwords and other sensitive information.

Sometimes buyers can get also a second overlay meant to demand the credit card number, expiration date, and CVV from the victim.

InTheBox Threat Actor Sells Over 1,800 Web Injects on Cybercrime Forums

Source

The stolen data is verified using the Luhn algorithm to sort out invalid credit card data. And only after that, the exfiltrated info is converted into string value to be sent to the cybercriminal launching the attack.

InTheBox sells its Android malware web injections since February 2020, always coming up with new phishing pages.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Author Profile

Andreea Chebac

Digital Content Creator

Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.

Related Articles

What is Cybersecurity-as-a-Service (CSaaS) and How It Can Help Your Business?New Phishing-as-a-Service Toolkit DiscoveredMalware as a Service (MaaS). What It Is and How It Can Threaten Your Business?

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V