The California-based cybersecurity firm Resecurity has discovered a brand-new Dark Web marketplace that serves mobile malware developers and operators. Presented below is an overview of the firm’s findings.
What is “In The Box”?
According to Resecurity’s cybersecurity researchers, the new marketplace, called “In The Box” has been available for scammers and cybercriminals on the TOR network since at least early May 2020.
Since then, the marketplace has evolved into a full-fledged cybercrime services facilitator and has become the Dark Web’s largest marketplace, given the many unique tools and WEB-injects up for sale. Cybercriminals can use these tools for online banking and financial fraud, including theft.
Why Web-Injects Are in Demand?
Web-injects are similar to the Man in the Browser attacks. The difference is that these attacks previously worked on PCs using malware like SpyEye, Zeus, and Gozi, whereas threat actors have now learned to apply the same approach to mobile devices.
Web-injects successfully extract sensitive financial data because digital payments are interconnected with mobile apps. Web-injects can be integrated into mobile malware for intercepting banking credentials, social media login details, payment systems, email credentials, etc.
That’s not all. These tools can also collect sensitive data such as credit card info, phone number, personally identifiable information, and address.
How Dangerous is this Marketplace?
Currently, this marketplace has more than 1,849 malicious tools for sale, specifically designed to target major e-commerce and financial institutions, payment systems, social media firms, and online retailers in at least 45 countries.
This includes the UK, USA, Brazil, Canada, Colombia, Saudi Arabia, Mexico, Bahrain, Singapore, and Turkey. Cybercriminals have already targeted high-profile organizations like Citi, Amazon, Bank of America, PayPal, DBS Bank, Wells Fargo, etc. An update was made in 144 injects in November 2022 to improve their efficacy and visuals.
As shown in the screenshot below, the team behind In The Box are offering Web-injects for $100 per month and as an “Unlim” tier that lets the buyer generate an unlimited number of injects for $2,475 and $5,888, depending on the trojans it supports.
Who Runs “In The Box”?
The marketplace operators are connected closely to developers of major mobile malware families, such as Ermac, Cerberus, Octopus aka Octo, Hydra, MetaDroid, and Alien, among others. The actors operating “In The Box” have Web-injects categorized by geography and can be bought by bad actors to launch attacks.
“The automation allows other bad actors to create orders to receive the most up-to-date web injects for further implementation into mobile malware,” Resecurity researchers wrote in their blog post.