Customized webinjects for Zeus and SpyEye Trojans on sale

Criminals are now selling customized webinjects that are priced per feature. For example, one seller offers a webinject for Zeus/SpyEye that contains the automatic transfer system (ATS).

Initially, criminals used malware-based pricing for selling webinjects. In this model, webinjects were developed for specific malware platforms such as Zeus and SpyEye, and priced per platform. Certain platforms commanded a higher price for webinjects.

This pricing system was followed with bulk pricing, where criminals offered discounts for large orders, as well as geography-based pricing, where webinjects costs were determined by the geographic location of the target they were designed to attack. That was followed by production cost pricing, where sellers offered cheaper pre-made webinjects and charged a premium for custom-based webinjects.

The new pricing strategy Trusteer discovered charges for webinjects based on the specific features requested and user information they are designed to steal.

In one advertisement they came across, the criminal offers to develop webinjects for any malware platform (e.g., SpyEye, Zeus, Ice IX) and target specified by the buyer. Here is the price list for individual webinject features that can be purchased:

Balance grabber – captures the victim’s balance information and sends it to the fraudster’s command and control (C&C) server. Price: $50-$100.

Balance replacer – Updates the “actual” balance in online banking application’s balance page to hide the fraudulent transaction amount. This prevents the victim from realizing fraud has taken place until they receive a paper statement, go to an ATM, or check their balance via phone banking. Price: $200-$300.

TAN grabber – captures one-time passwords that are used by some banks to authorize online banking transactions. Price: $150-$200.

Additional passwords – this mechanism requests additional passwords from a victim. Price: $100-$200.

Alerting – this feature sends various notifications to the malware’s administration panel and Jabber instant messenger client in real time. Price: $100-$200.

AZ (dubbed “avtozaliv”) – this capability, also known as ATS, provides all the components needed to conduct automated and unattended online banking fraud. Specifically, it can bypass two-factor authentication, initiate a transfer, and update the account balance to hide the fraud. Price: $1500-$2000.

The advertisement also included videos that demonstrate webinjects developed to attack Italian, Spanish and German banks.

This latest development in webinject marketing illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete “suite” pricing options.

Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud.

Criminals are no longer bound by rigid malware configurations designed to conduct specific exploits at specific institutions. Criminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud.

According to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed.