(December 29, 2008) Fraudsters are running an online trading post for highly sophisticated code that allows criminals to more easily steal consumers’ log-on credentials, Social Security Numbers, PINs, and other confidential information, according to the latest report from RSA Security Inc.’s Anti-Fraud Command Center.

The fraudster Web site, which RSA analysts call a “Web Injection Shop,” sells so-called HTML injections, or bits of code that can allow phishing perpetrators to mimic the look of a financial institution’s Web pages, including pages that ask for log-on credentials. The code also allows fraudsters to add fields to the pages to ask for information the legitimate pages don’t ask for. The injections usually accompany Trojans, code that fraudsters install on the computers of unwary users when they visit certain sites or click on unknown e-mail links.

While these HTML injections are nothing new, the creation of what RSA calls a “production-scale central repository” for them is. Indeed, the sophistication of the code and of its merchandising online has led the Bedford, Mass.-based security firm, part of EMC Corp., to called the trend “fraud as a service,” or FaaS, after the more familiar and legitimate trend toward software as a service (SaaS), in which companies sell solutions for specific online functions.

The Web site sells two types of injection, according to RSA. With one, fraudsters can weave new content into a financial institution’s actual pages. The new content typically consists of fields asking for mother’s maiden name, PINs, Social Security Numbers, or other sensitive data. The other type allows the buyer to insert a completely fabricated page into the user’s browser, again asking for information not requested by the legitimate site.

With yet another product offered by the new fraudster site, buyers can install code on users’ machines that searches for the balance field when users log on to their bank accounts. This so-called balance grabber then copies and transmits the account balance back to the fraudster’s server. Armed with this information, online criminals can set prices for log-on credentials according to the richness of the balance to be plundered.

The going price for HTML injections is $10 to $30 each, depending on the target institution and the type of code, according to RSA’s report. The report says these injections could follow a path similar to that of phishing kits, online tools that standardize the launch of phishing attacks. These tools have dropped in price as they have proliferated in underground forums. “When the fraudster market is saturated by HTML injection offerings, their price may drop since HTML pages are fairly simple to design,” says the report.

Some 207 financial-institution brands were attacked in phishing campaigns in November, up significantly from 167 in October, the report says. The total includes 23 banks whose sites had not before been targeted by fraudsters. Regional U.S. banks were the target of 48% of the attacks, with credit unions accounting for 30% and banks that operate nationwide accounting for 23%.