Heimdal
article featured image

Contents:

Cybersecurity researchers have recently discovered InTheBox, a dark web marketplace made to cater to mobile malware operators specifically.

The key factor has been providing web injects development services to other cybercriminals ever since. But the actor gradually grew their operation and started a full-scale automated marketplace for web injects.

The report indicated that the automation allowed other malicious actors to order the most recent web injection for developing mobile malware.

Consequently, “InTheBox” offers customized development solutions for enterprises that use “private” mobile malware. This type of software is not available to the public on a regular basis.

Some of the most widespread malware families today are Alien, Cerberus, Ermac, Hydra, Octopus (also known as “Octo”), Poison, and Metadroid.

Source

Research has found that bad actors often use web injects in their malicious attacks. These are commonly customized modules or packages that inject HTML or JavaScript code into content before it’s rendered on a web browser.

One of the main ways web injects change what you see on your browser is by masking data from the server.

Many people are unsatisfied with their banking experience and are looking for alternatives. It’s a competitive market, but most cybercriminals don’t sell their malware on dark web forums. Instead, they might rent it or use it privately themselves.

Source

Some examples of web injects can be seen in the image above.

Web injections usually cost $50 to $200 each, depending on how popular the FI is and how close to its release date. This is significantly less expensive than mobile malware itself. It also comes with essential support and possible customization if the mobile app changes.

This puts the monthly injection to at least $5,000 or a commission-based model with payments split between the malware developer and operators.

The “InTheBox” Dark Web Marketplace Insights

On the TOR network, a bad actor known as “inthebox” unveiled a new website for selling web inject templates for multiple mobile malware families. He offers these design layouts either individually or in combination to successfully carry out data theft from victims.

  • Template “Authorization data.”
  • Template “Ask only PIN.”
  • Template “With Credit Card data.”
  • Template “With Credit Card data + ATM PIN.”
  • Template “Ask Full data.”

A new web inject tariff called “unlim” can allow cybercriminals to create infinite web injects during a subscription period.

In addition, this model offers significant opportunities for reducing manual and human contact with marketplace operators by streamlining the processes involved in malware customization.

PitchDealer also contains regional divisions, emphasizing U.S. and U.K. companies, internet services, or financial institutions.

“Once victims are infected, and credentials are stolen, mobile malware enables operators to execute various commands to manage the victim and perform actions on behalf of the criminal for further successful theft.” – said Resecurity.

Cybercriminals are already using “In-the-Box” web injects in attacks on more than 300 financial institutions, payment systems, social media, and online stores from 43 countries.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Gabriella Antal

SMM & Corporate Communications Officer

linkedin icon

Gabriella is the Social Media Manager and Cybersecurity Communications Officer at Heimdal®, where she orchestrates the strategy and content creation for the company's social media channels. Her contributions amplify the brand's voice and foster a strong, engaging online community. Outside work, you can find her exploring the outdoors with her dog.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE