report / Dec 12, 2015

Webinject Analysis: Newsidran.com

by Elman Reyes

Webinject attacks modify webpages to allow fraudsters to collect credentials, or act more directly against user accounts. The newsidron.com script injection serves as a good example of how these attacks are conducted, detected, and ultimately stopped.

A Trojan is a piece of malware that appears to the user to perform a desirable function, but actually steals information or harms the system (perhaps in addition to the expected function). Trojans employ two main techniques to steal users' credentials or initiate money transfers on their behalf: modifying the website's client-side web page, or sniffing the browser's activity for information that is sent to different banks before the packets are encrypted by SSL.

Recently several e-banking Trojans (Zeus, Cridex, and Citadel, for instance) have used script injection techniques to modify the original web page. The modification may enable the attacker to perform money transactions using victims' credentials. This may be perpetrated by a Trojan injecting a malicious JavaScript code to the client's browser, once the client is connected to the website. The injected code performs different functions, including attempting a money transfer from the client's account, gaining control on mobile devices, and much more. To maintain the information sent by the Trojans, attackers have developed different types of command and control (C&C) systems that enable them to grab and manage the injected code and its functions These systems are usually PHP-based systems accompanied by a SQL database.

For the newsidran.com example, the malware on an infected machine establishes a few variables before the injection takes place, the most substantial of which are:

  • fAkEbotid.
  • fAkEbotname.

This initial prompt for the webinject asks for various pieces of credit card information. Note that all communication and resources (such as images and scripts) used by this attack are injected from the same newsidran.com domain name.

To see the full version of this report, click "Download" below.

MODIFIED: Jul 06, 2017

Tags: , ,
stay up to date

Get the latest application threat intelligence from F5 Labs.

There was an error signing up.
Thank you, your email address has been signed up.

Follow us on social media.