New Phishing Kits Hit the Market: Trojan HTML Injections Now for SaleJanuary 6, 2009 – 1:20 PM
The economic lifecycle of the underground fraud community functions very similarly to the world of legitimate business. Online fraudsters have supply chains, third-party outsourcers, vendors, and online forums where people with skills and people with opportunities to commit fraud can find each other. The underground fraud supply chain is becoming more technically and operationally sophisticated, and we’ve coined this “Fraud-as-a-Service” or “FaaS”. FaaS consists of services for advanced hosting, Trojan infection kits and cashout services – all for sale within the fraudster underground.
Some fraudsters have developed websites to sell ready-made products to other fraudsters, such as phishing kits. Recently, the RSA FraudAction Research Lab traced a new type of service on a particular website to sell HTML injections, which can be combined with Trojan attacks. We will refer to this website as a Web Injection Shop.
HTML injections are not a new approach to stealing credentials and other personal information. However, the production-scale central repository for HTML injections in the Web Injection Shop is a new discovery, and is easily accessible by fraudsters. The Web Injection Shop that was traced is very similar to other websites that sell phishing kits and offers a long list of HTML injection codes designed to steal information from customers of dozens of financial institutions worldwide. Similar to phishing kits, each HTML injection is specifically tailored to match each bank’s specific website design.