Custom design growing in malware market

Cybercriminals are selling made-to-order malware plugins to steal personal information from online banking customers, a reflection of a maturing black market in which the best developers can demand the highest prices, security vendor Trusteer says.

Depending on the sophistication, the web-inject plugins cost as much as $2,000 and support several malware platforms, such as SpyEye, Zeus and Ice IX, Trusteer says. More generic web injects sell for as little as $50.

Web-injects monitor browser activity and launch fake web pages or form fields when a victim visits an online banking site. The bogus pages or fields are designed to look like they belong to the site and ask for personal information, such user IDs, passwords and debit-card numbers.

Cybercriminals typically install a web-inject in malware already inside a compromised system.

Over the last several months, Trusteer has seen an evolving underground market for Web-injects that copies pricing for traditional software. Early pricing models were based on the malware platform, with some frameworks demanding higher prices than others.

The pricing schemes evolved to include bulk pricing that gave discounts for large orders and geography-based pricing based on the location of the target, Trusteer said. Cyber-criminals later added production-cost pricing, where sellers offered cheaper pre-made Web injects and more expensive custom plugins.

The latest pricing model goes further by charging for specific features and the kind of information the Web-injects are designed to steal. For example, at the high end, a cybercriminal can pay from $1,500 to $2,000 for a web-inject capable of bypassing two-factor authentication, initiating a money transfer and keeping the account balance unchanged to hide the fraud.

If that’s too pricey, a criminal can pay $100 to $200 for plugins that request multiple passwords from victims, send various notifications to the malware’s administration panel, or capture one-time passwords used by some banks to authorize online transactions. For as little as $50, a thief can buy a Web-inject that captures a victim’s balance information and sends it to a command and control server.

The availability of such options is a major advancement from the early days when generic Web-injects were built for specific banking sites, George Tubin, senior security strategist for Trusteer, said. Today, the more sophisticated options mean attackers can get the features they want and are therefore more likely to be successful.

“It’s definitely a maturing industry,” Tubin said.

While web-injects listed above are focused on banking sites, custom-built plugins are expected to be available to cybercriminals looking to steal intellectual property, design drawings and other high-value documents from specific companies. For example, a web-inject could be used to trick an employee to provide his user name and password while logging into a corporate network.

“Because a lot of people are working remotely, the same type of approach is applicable to enterprise attacks as it is to bank customer attacks,” Tubin said.

While web-injects are popular among fraudsters targeting online banking sites, the plugins are also used in attacks against web mail accounts, shopping carts and social networks, such as Facebook.

Cybercriminals last year earned a total of $12.5 billion globally using a variety of online tactics to steal credit-card numbers, bank account information and other valuable data, said the security analyst firm Group-IB.