Webinjects have been a feature of banking malware ever since they were popularised with great success by early families such as Zeus. In that time writing Webinjects has become a highly specialized skill with off-the-shelf Webinjects systems becoming as popular as the banking malware itself.

Webinjects are used to deploy Automated Transfer Systems, payment card data harvesters, session hijackers, and even to deploy web based crypto-currency miners. With some vendors in operation for over five years, the area of Webinjects development appears to be a lucrative and potentially long-lived occupation.

This presentation explores prevalent Webinjects systems, their capabilities and which malware families are deploying them, and how we can use Webinjects to track actors as they switch between using different malware families. We present details of the criminal groups we have discovered this way.