A FORM GRABBER is a type of malware that specifically targets web forms. It “listens” for user input and lifts pertinent information from form fields—usually those which prompt for authentication and/or authorization details. Usernames and passwords (also known as login credentials) are among its usual targets. What makes a Form Grabber even more dangerous is its ability to circumvent HTTPS encryption and intercept data before it is even transmitted. This includes data that has been generated by auto-fill and copy-and-paste operations, as well as input by way of virtual keyboards.
Allegedly invented in 2003 by the same person who developed Downloader.Barbew, a version of the infamous Trojan horse, the Form Grabber malware first made its way into the wild alongside the Zeus banking Trojan in 2007. The epidemic rise of Zeus, also known as Zbot, was attributed to excessive email spamming, in which the malware presented itself as a reputable banking organization and duped users into sharing their most sensitive financial details.
The horrible effects of Zeus didn’t subside until three years later when its creator supposedly retired and released its source code. But experts, at the time, argued that it would only inspire other developers to create newer and more dangerous programs. Sure enough, the Form Grabber would reemerge in 2012, repackaged as Tiny Banker, or Tinba, for short. Like its predecessor, this form grabber was used for stealing banking information, and was discovered to have infiltrated more than twenty-four United States financial institutions.
Today, Form Grabber malware of all types is primarily considered to be Internet banking crimeware, as its implementation has yet to change. It remains a popular choice among hackers and cyber criminals alike for siphoning a user’s online banking details. Once in their possession, the stolen information is used for scam or fraud, or it is traded to third parties for illegal use.
How the Form Grabber Works
When a user visits a malicious web site or domain, they become “targeted” and certain mechanisms are triggered. Vulnerabilities in the web browser are exploited and malware is subsequently installed on the targeted computer system. Sometimes, the components that are downloaded are actual bots which carry out Man-in-the-Browser (MITB) attacks.
Bots almost immediately begin working once installed, hooking into the DLL of a browser. A Microsoft Windows DLL file, for example, is required by the Internet Explorer and Microsoft Edge browsers for program data and other resources. Like a Trojan horse, a Form Grabber ultimately gains access to all system files and hijacks a browser through add-ons and custom toolbars. It’s agenda, however, is to lay hold of financial login data, oftentimes submitted voluntarily by the user of an infected browser. Once input is detected in a web form, it is immediately “grabbed” and sent to the domain of the attacker.
In general, no input field is exempt from the exploitation of a form grabber. Alphanumeric inputs, as well as drop downs and radio buttons, are all susceptible to compromise. Upon submitting the form, its information is captured, reproduced, and transmitted to a parent server, where it is usually added to a database.