Wednesday 24 September 14:30 - 15:00, Green room.Jean-Ian Boutin ESET This paper is available online (HTML, PDF). download slides (PDF) Webinject files are now ubiquitous in the banking trojan world to aid financial fraud. What started as private and malware-family-dependent code has now blossomed into a full ecosystem where independent coders are selling their services to botnet herders. This specialization phenomenon can be observed in underground forums, where we see a growing number of offers of fully functional webinject packages providing all the functionalities required to bypass the latest security measures implemented by financial institutions. Our research covers the current webinject scene and its commoditization. We will take a look back and show how it has evolved over time, going from simple phishing-like functionalities to automatic transfer system (ATS) and two-factor authentication bypass, along with mobile components and fully fledged web control panels to manage money exfiltration through fraudulent money transfers. Nowadays, a piece of malware that can inject arbitrary HTML content into a browser is all that is needed by a resourceful botmaster, as he can now outsource practically every other step required to perform a successful fraudulent financial transfer. This is confirmed by our recent observation of several malware families using the same webinject kits. Our research will try to answer the question: will we see a consolidation phase leading to the emergence of a few select omnipresent webinject kits, similar to what we have seen in the web exploit kit scene?