Cyber-Underground Takes Buffet Approach to Selling Bank Fraud Malware

Researchers at Trusteer say cyber-criminals are offering feature-based pricing on malware components to give black market customers greater flexibility.

Cyber-criminals are now pricing webinjects based on the specific features being requested, underscoring an ongoing movement towards flexibility in the black market, according to security researchers at Trusteer.

Webinjects are malware components that launch fake Web pages or form fields when users visit certain sites, typically as part of efforts to target online bankers. Previously webinjects were developed for specific malware platforms such as Zeus and SpyEye and priced per platform.

In today's underground market they are made-to-order and priced according to the information they designed to steal.

"The malware is getting more feature rich, allowing attackers to set various parameters for each attack," explained George Tubin, senior security strategist for Trusteer.

"This recent finding is more about the fact that one would €˜traditionally€™ purchase a complete attack kit that was fairly rigid. The webinject pages were predesigned€”they could only be used for certain financial institutions and would only do certain attacks (inject some fields on the login page asking for ATM card numbers and PIN for example). Now, the attacker can get a completely customizable configuration to target whatever institution(s) they want with whatever exploit they want," Tubin said.

The price of the individual webinject features varies. For example, a capability known as AZ (also known as ATS) that enables an attacker to bypass two-factor authentication, initiate a transfer and update an account balance to hide fraud can cost between $1,500 and $2,000.

However a feature called 'Balance Grabber' that captures the victim€™s balance information and sends it to the fraudster's command and control (C&C) server was observed priced from $50 to $100. Password-stealing feature TAN Grabber meanwhile goes for between $150 and $200.

"This latest development in webinject marketing illustrates how the underground marketplace is following traditional software industry pricing schemes by offering a la carte and complete €œsuite€ pricing options," blogged Amit Klein, CTO of Trusteer.

"Unfortunately, buying high quality webinjects is getting easier and more affordable, which opens the door for more criminals to get into the business of online banking fraud. Criminals are no longer bound by rigid malware configurations designed to conduct specific exploits at specific institutions.

€œCriminals can now specify the precise exploit and target institution that they believe will maximize their ability to successfully commit fraud. And according to basic statistics, the more combinations of exploit types and targets attempted, the more likely it is for fraudsters find those that succeed," Klein wrote.

According to Tubin, there has also been a rise in the software-as-a-service approach to the cyber-crime market, such as hosting the command and control servers for an attack or providing access to a set of pre-compromised machines for an attacker to use for a specific attack.