A darknet market specializing in webinject malware is catching the attention of cybersecurity researchers after a report by Resecurity brought it into media focus for the first time. The market, known as “InTheBox,” is believed to have been around since January 2020 but recently shifted from private services to a “fully productized automated marketplace.” It is now being described as “the largest mobile malware marketplace” on either the dark or clear web.
InTheBox currently offers a sophisticated assortment of customized templates to be used by attackers. Part of subscription-based webinject services includes updates to match design changes on targeted mobile apps. Accounts for the marketplace can be created and its contents accessed only after approval from the admin via Telegram or Jabber message.
According to researchers at SecurityAffairs, mobile-based webinject services have the same success rate as their PC-based counterparts, although mobile webinject malware is often cheaper to purchase. As of Nov. 2022, there were over 1,800 “malicious tools” identified for mobile device attacks for sale across various hacking forums and the dark web. Such attacks have thus far affected users in more than 45 countries, with customers of Amazon, Bank of America, Citi, PayPal, and Wells Fargo being among the most popular targets.
Cybersecurity experts warn the success of InTheBox may encourage the rise of more darknet marketplaces specializing in the sale of mobile-based malware, posing a greater, persisting threat to the world’s smart phone userbase, which is estimated to have surpassed 6.6 billion (roughly 83% of the global population) in Dec. 2022.
The Tor URL for InTheBox provided in a Resecurity screenshot was unreachable as of the writing of this article.