Difference between revisions of "The evolution of webinjects"
(Created page with "{{Publication|Author=Jean-Ian Boutin|Editor=ESET}}") |
|||
| Line 1: | Line 1: | ||
{{Publication|Author=Jean-Ian Boutin| | {{Publication | ||
|Botnet=ZeuS, SpyEye, | |||
|Feature=Webinject, | |||
|Year=2014 | |||
|Date=2014-09-24 | |||
|Editor=Virus Bulletin | |||
|Link=https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Boutin.pdf | |||
|Author=Jean-Ian Boutin | |||
|Type=Conference paper or presentation | |||
|Abstract=Webinject fi les are now ubiquitous in the banking trojan world as a means to aid fi nancial fraud. What started as private and malware-family-dependent code has blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers of comprehensive webinject packages providing all the functionalities required to bypass the latest security measures implemented by financial institutions. | |||
Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, having started with simple phishing-like functionalities and now offering automatic transfer systems (ATS) and two-factor authentication bypass, along with mobile components and fully fl edged web control panels to manage money exfiltration through fraudulent transfers. | |||
Nowadays, a piece of malware that can inject arbitrary HTML content into a browser is all that a resourceful botmaster needs, as he can outsource virtually every other step in the process of performing a successful fraudulent financial transfer. | |||
This has been confi rmed by our recent observation of several malware families using the same webinject kits. Our research attempts to answer the question: will we see a consolidation phase, leading to the emergence of a few omnipresent webinject kits, similar to what we have seen in the web exploit kit scene? | |||
}} | |||
Latest revision as of 03:16, 22 August 2015
(Publication) Google search: [1]
| The evolution of webinjects | |
|---|---|
| Botnet | ZeuS, SpyEye |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | Webinject |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2014 / 2014-09-24 |
| Editor/Conference | Virus Bulletin |
| Link | https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Boutin.pdf (Archive copy) |
| Author | Jean-Ian Boutin |
| Type | Conference paper or presentation |
Abstract
“ Webinject fi les are now ubiquitous in the banking trojan world as a means to aid fi nancial fraud. What started as private and malware-family-dependent code has blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers of comprehensive webinject packages providing all the functionalities required to bypass the latest security measures implemented by financial institutions.
Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, having started with simple phishing-like functionalities and now offering automatic transfer systems (ATS) and two-factor authentication bypass, along with mobile components and fully fl edged web control panels to manage money exfiltration through fraudulent transfers. Nowadays, a piece of malware that can inject arbitrary HTML content into a browser is all that a resourceful botmaster needs, as he can outsource virtually every other step in the process of performing a successful fraudulent financial transfer.
This has been confi rmed by our recent observation of several malware families using the same webinject kits. Our research attempts to answer the question: will we see a consolidation phase, leading to the emergence of a few omnipresent webinject kits, similar to what we have seen in the web exploit kit scene?
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR4748,
editor = {Virus Bulletin},
author = {Jean-Ian Boutin},
title = {The evolution of webinjects},
date = {24},
month = Sep,
year = {2014},
howpublished = {\url{https://www.virusbtn.com/pdf/conference/vb2014/VB2014-Boutin.pdf}},
}