6

I've heard many times that malware like Zeus, SpyEye and Citadel are able to do browser injections to steal credit card data. How do they do it? how do browser "injections" work? How are they able to tamper all browser data? Furthermore, why don't browser extension writers use something like browser injections to ensure compatibility with all browsers?

Additional question: Is there any source code you could look at as an example? You could make so much slick stuff with it!

Kush
  • 275
  • 2
  • 9

3 Answers3

3

These applications typically do not take data directly from the browser.

  1. They analyze the current window (title). For example if there is something like (shopping cart, checkout, transfer, secure https), then take user input (data are taken directly, not from the browser).

  2. They can retrieve all user input and only send sensitive data to the server, the data is checked first by regulary expressions.

You can get keyloggers examples here:

http://www.rohitab.com/discuss/topic/14610-awsome-c-keylogger/

http://sourceforge.net/apps/mediawiki/pykeylogger/index.php?title=Main_Page

Dinu Rodnitchi
  • 131
  • 1
  • They usually add data. – cutrightjm Jul 23 '12 at 00:31
  • nope , not talking about keylogger , but about man in the browser .., even expiry date of credit card , u cant type it , u select it from list , so here keylogger is useless , and the bad guys always get expiry dates : D – Hichem Dec 17 '15 at 23:31
2

They work by injecting malicious code into your browser (or your system). They exploit some vulnerability to inject the malicious code and cause the malicious code to be injected. The malicious code contains a payload of some sort. The payload may do things like spy upon your interactions with your browser or with web sites.

If you are asking how bad guys are able to inject malicious code into your system, then the key phrase is "drive-by downloads". Search for that, and you'll find lots more. Basically, drive-by download attacks exploit some vulnerability in the browser that lets them inject malicious code.

If you are asking how the payload is able to steal your credit card, the answer is that once malicious code is running on your system, it is able to read all keystrokes, spy on all your interactions with all of your applications, and hook into internal browser APIs. So once malicious code is running on your system, you are hosed.

Community
  • 1
D.W.
  • 98,860
  • 33
  • 271
  • 588
1

I was always under the impression that these injections were just injecting html which would render another control. For example, when the victim browses to www.bankingwebsite.com they are presented with a login screen that normally asks only for cardnumber and password.

Suppose we also want their CCV, expiry date and their mothers maiden name. We can inject some html and have the browser render these extra questions.

Usually what happens is that the hacker would have a list of common banking websites in the country/continent that they want to harvest details for. They would then gather the urls they need to watch out for and add the extra html to some config file that the malware would use.

Now eBay would never normally ask for all this extra information. So we have injected some HTML to ask for all the victims details, and given them a reason (fraudulent purposes) as to why they need to provide it.

enter image description here

Check out http://www.xylibox.com/2014/04/zeusvm-and-steganography.html

Mathemats
  • 113
  • 6