Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts. The newsidron.com script injection serves as a good example of how these attacks are conducted, detected, and ultimately stopped.
A Trojan is a piece of malware that appears to the user to perform a desirable function, but actually steals information or harms the system (perhaps in addition to the expected function). Trojans employ two main techniques to steal users' credentials or initiate money transfers on their behalf: modifying the website's client-side web page, or sniffing the browser's activity for information that is sent to different banks before the packets are encrypted by SSL.
For the newsidran.com example, the malware on an infected machine establishes a few variables before the injection takes place, the most substantial of which are:
This initial prompt for the webinject asks for various pieces of credit card information. Note that all communication and resources (such as images and scripts) used by this attack are injected from the same newsidran.com domain name.
To see the full version of this report, click "Download" below.
MODIFIED: Jul 06, 2017