Man
Professional
- Messages
- 3,093
- Reaction score
- 635
- Points
- 113
Cybersecurity experts from Resecurity have discovered and described a new marketplace called InTheBox. The site recently appeared on the darknet and is intended for operators of malware targeting mobile devices. In total, InTheBox offers over 400 professionally developed web injects for various purposes for services from the US, UK and other countries.
The marketplace has been known since 2020 for its authoritative underground cyber communities, when its creator offered web injection development services to other market participants. However, he then scaled his business to a full-fledged large automated platform.
Who is at risk. InTheBox allows attackers to place orders for the latest web injections for subsequent implementation in mobile malware used to intercept accounts, PIN codes, steal bank card data and other payment information. In addition to the banking sector, they allow compromising large online stores (Amazon, Alibaba), social networks, messengers (WhatsApp), dating sites (Tinder), video conferencing platforms (Zoom), streaming services (Netflix, Spotify).
In addition to ready-made templates, customers can also develop custom solutions for fraudulent injection attacks. Most often, web injections are purchased for malware of the following families: Alien, Cerberus, Ermac, Hydra, Octopus (aka "Octo"), Poison and MetaDroid.
How does a web injection work? All the victim has to do is go to any mobile application or website via a browser from their mobile device infected with malware and fill out a regular form. For example, make a payment on the website or simply log into an account. At this time, the malware, using a specially developed web injection, simply replaces the form and other content with its own so that the user does not notice the difference between the substitution and the original. This is how the attackers intercept the user's data.
After successfully obtaining the credentials and sending them to the C2C server, malware operators can execute various commands to control the victim's device: get a list of SMS, send SMS or set up forwarding. For example, this is necessary to verify transactions made in online banking.
How much does it cost? There are several underground web inject developers for InTheBox who monitor the latest versions of content, functionality, and design of the mobile apps and services they attack. That is why their injection attacks are extremely effective. In November 2022 alone, the platform underwent a massive update of 144 web injects, where their visual design was improved.
The price of web injects is usually lower than the mobile malware itself, and ranges from $50 to $200 per inject. Typically, in addition to the product itself, the customer also receives basic support and possible customization in the event of a change in the design of the service or application being attacked.
Malware prices also vary, and with the move to rental and private operations, web injection costs can exceed $5,000 per month. Because of the high cost, attackers often choose another option - a commission model with payments for successful thefts, in which case a certain percentage of the revenue goes to the malware operator and developers.
What's happening now. According to researchers, the most popular items on the InTheBox marketplace are currently imitations of online banking systems and crypto exchangers. Attackers are focusing on attacks on businesses, online services, and financial institutions in the US and UK, as well as a number of other countries.
At the moment, all information about this marketplace has been transferred to the relevant authorities, financial services and Google's security service, since most of the malware is designed for Android devices.
The marketplace has been known since 2020 for its authoritative underground cyber communities, when its creator offered web injection development services to other market participants. However, he then scaled his business to a full-fledged large automated platform.
Who is at risk. InTheBox allows attackers to place orders for the latest web injections for subsequent implementation in mobile malware used to intercept accounts, PIN codes, steal bank card data and other payment information. In addition to the banking sector, they allow compromising large online stores (Amazon, Alibaba), social networks, messengers (WhatsApp), dating sites (Tinder), video conferencing platforms (Zoom), streaming services (Netflix, Spotify).
In addition to ready-made templates, customers can also develop custom solutions for fraudulent injection attacks. Most often, web injections are purchased for malware of the following families: Alien, Cerberus, Ermac, Hydra, Octopus (aka "Octo"), Poison and MetaDroid.
How does a web injection work? All the victim has to do is go to any mobile application or website via a browser from their mobile device infected with malware and fill out a regular form. For example, make a payment on the website or simply log into an account. At this time, the malware, using a specially developed web injection, simply replaces the form and other content with its own so that the user does not notice the difference between the substitution and the original. This is how the attackers intercept the user's data.
After successfully obtaining the credentials and sending them to the C2C server, malware operators can execute various commands to control the victim's device: get a list of SMS, send SMS or set up forwarding. For example, this is necessary to verify transactions made in online banking.
How much does it cost? There are several underground web inject developers for InTheBox who monitor the latest versions of content, functionality, and design of the mobile apps and services they attack. That is why their injection attacks are extremely effective. In November 2022 alone, the platform underwent a massive update of 144 web injects, where their visual design was improved.
The price of web injects is usually lower than the mobile malware itself, and ranges from $50 to $200 per inject. Typically, in addition to the product itself, the customer also receives basic support and possible customization in the event of a change in the design of the service or application being attacked.
Malware prices also vary, and with the move to rental and private operations, web injection costs can exceed $5,000 per month. Because of the high cost, attackers often choose another option - a commission model with payments for successful thefts, in which case a certain percentage of the revenue goes to the malware operator and developers.
What's happening now. According to researchers, the most popular items on the InTheBox marketplace are currently imitations of online banking systems and crypto exchangers. Attackers are focusing on attacks on businesses, online services, and financial institutions in the US and UK, as well as a number of other countries.
At the moment, all information about this marketplace has been transferred to the relevant authorities, financial services and Google's security service, since most of the malware is designed for Android devices.
