1,894 web injects (overlays of phishing windows) are for sale on Russian cybercrime forums. The threat actor that advertises them, called InTheBox, offers affordable deals and prices.

The phishing windows are meant to steal credentials from banking, cryptocurrency exchange, and e-commerce apps imitating widely-used software, and they are compatible with various Android banking malware.

How Web Injects Change the Game

Mobile Banking Trojans usually choose an app that already exists on the infected device and then request from the Command & Control server the web inject for that specific app. When the app is launched by the user, the malware shows automatically the phishing page that replicates the real one but is meant to steal credentials and other important info.

Such a variety of fake pages is part of the Phishing-as-a-service concept and allows cybercriminals to focus their work on other things, like malware development and bigger campaigns.

Cyble researchers show that InTheBox sells web injects for hundreds of apps that can be bought as a package, or individually, for $30. Hackers can also require a certain inject for any malware.

As of January 2023 InTheBox lists the following web inject packages, updated as recently as October 2022:

  • 814 web injects compatible with Alien, Ermac, Octopus, and MetaDroid for $6,512
  • 495 web injects compatible with Cerberus for $3,960
  • 585 web injects compatible with Hydra for $4,680


InTheBox’s Web Injects

Threat actors that buy the InTheBox’s web inject packages also get the app’s icon as a PNG file, as well as an HTML file containing JavaScript code that captures the victim’s passwords and other sensitive information.

Sometimes buyers can get also a second overlay meant to demand the credit card number, expiration date, and CVV from the victim.

InTheBox Threat Actor Sells Over 1,800 Web Injects on Cybercrime Forums


The stolen data is verified using the Luhn algorithm to sort out invalid credit card data. And only after that, the exfiltrated info is converted into string value to be sent to the cybercriminal launching the attack.

InTheBox sells its Android malware web injections since February 2020, always coming up with new phishing pages.

If you liked this article, follow us on LinkedInTwitterFacebookYouTube, and Instagram for more cybersecurity news and topics.

Cybersecurity-as-a-service (CSaaS)

New Phishing-as-a-Service Toolkit Discovered

Malware as a Service (MaaS). What It Is and How It Can Threaten Your Business?

Leave a Reply

Your email address will not be published. Required fields are marked *