Fraudsters Leverage HTTP Injectors to Steal Internet Access

April 9, 2018

Threat actors are seeking and exchanging HTTP injectors in order to gain unpaid mobile access to the internet, defrauding service providers and telecommunications companies in the process.

Flashpoint analysts have observed widespread chatter pertaining to the use of HTTP injectors, which modify HTTP headers on network requests with malicious code that tricks captive portals into connecting to the internet. Many of these HTTP injector files are exchanged using Telegram, a popular messaging service, and much of this activity appears to be conducted by actors based in Latin America, particularly in Brazil and to a lesser extent, Colombia.

Flashpoint analysts have identified a method by which some actors are likely using HTTP injectors to gain free mobile Internet access. The process begins via a device with a SIM card with zero remaining balance. Using the device’s mobile browser, they connect to a data-free website to avoid connecting to a captive portal asking the user to pay before accessing the internet. The initial connection to the data-free website begins the session, which can then be exploited using HTTP injectors to request SSH proxies to connect to the internet.

Telegram has become increasingly popular in cybercriminal and fraud-centric communities over the past few years. The platform has grown in popularity in Brazil following the country’s temporary ban of WhatsApp in 2016.

HTTP injectors are widely distributed at no cost by users on a variety of Portuguese and Spanish-language Telegram channels, many of which have tens of thousands of members. Flashpoint analysts observed one Portuguese-language Telegram channel dedicated to the exchange of HTTP injectors with more than 90,000 members. One possible reason cybercriminals share their HTTP injector files so freely is to generate a larger footprint on the compromised infrastructure being utilized as a proxy by the HTTP injectors, thereby masking their own illicit activities.

Cybercriminals offer HTTP injectors targeting a variety of telecommunications companies around the world. On Telegram, however, actors focus on sharing HTTP injectors targeting Latin American telecommunications companies, particularly those that operate in Brazil.


The use of HTTP injectors to gain free mobile internet access may result in a loss of revenue for telecommunications companies worldwide, particularly those that require a SIM card with a balance to access the internet. This underscores the importance of adopting Business Risk Intelligence (BRI) best practices while leveraging insights gleaned from the Deep & Dark Web to keep up with emerging tactics and ensure that use of telecommunications services is limited to paying customers.