From their relatively simplistic and niche origins – somewhat in tune with phishing - webinjects have advanced significantly to become a a complex and sophisticated beast. So much so in fact that in recent years, they have emerged as a real and growing threat to banks and financial institutions.

Nowadays, cybercriminals are increasingly using commoditized and even customized webinject kits with their banking trojans to steal data and money from victims. In this piece we take a closer look at their development.

In its purest sense

Webinject is a free and open-source tool that is primarily designed to automate the testing of web applications and web services, and it has commonly been used by security researchers over the last 20 years to test web system components with HTTP interfaces.

There are a lot of places where code injections can take place on a website, web application or web service, and so it is important for web admins to check these for load testing, quality assurance and security purposes.

Taking advantage of the system

However, criminals have also looked to use webinject files with their banking trojans to access personal information for fraudulent reasons. In fact, some criminals will purposely look to add webinject files to their malware variants to increase their chances of data theft. In fact, this has been used for many years by most banking trojans.

These webinject files are basically a text file with a lot of JavaScript and HTML code and are used by cybercriminals to target organizations by injecting specific code into the victims’ browsers – in real-time – so they can modify these webpages.

Used in conjunction with a banking trojan, the webinject will usually show a fake pop-up on a legitimate website, as well as add or remove content, especially at a time when the victim is engaged in online banking or making a transaction.

The cybercriminals aim to make the webpage appear fine, all the while stealing the victim’s login and banking details. Some kits may look for security information when the user signs into a banking website, or even ask for permission to transfer funds, usually using social engineering techniques that might create the illusion that the money was transferred to the user’s account accidentally and therefore needs to be refunded.

Webinjects evolution

“This technique is quite old, but has evolved considerably in the past few years,” wrote Jean-Ian Boutin, a malware researcher at ESET, in a blog discussing his paper Evolution of Webinjects. Presented at the 24th Virus Bulletin conference in Seattle last year, the study looked at how far webinjects have come.

“Usually, the banking trojans will download some form of webinject configuration file, which contains the target as well as the content that should be injected into the target webpage,” he continued.

“Some webinjects will try to steal personal information from the user by injecting additional fields in a form the user is seeing, thus creating an elaborate phishing page, while others are much more complex and might even try to automate fraudulent transfers from the victim’s bank account to a money mule account.”

Multifarious and highly specialized

Such is the extent of the rapid progression of webinjects that they have grown to be commodities, sold and negotiated in “underground forums” and tailored to meet the specific needs of cybercriminals looking to target banks and other financial institutions.

Moreover, webinject software writers have become adept at producing customized kits at the fraction of the cost of days gone by, although those with special features – like grabbing a bank balance and sending it back to the criminal’s command-and-control (C&C) server – do cost more. But, given the possible rewards, it’s a short-term cost many attackers don't mind taking on.

While many banks and financial institutions have their own, unique security systems in place, the fact that webinjects can be customized to overcome these distinct security measures is troubling. Underestimating this fact is a big mistake – the black market for these kits demonstrates a kind of vigor that suggests the criminals behind webinjects are here to stay.