Our experts' unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Blog > Cybercrime > Fraudsters Leverage HTTP Injectors to Steal Internet Access

Fraudsters Leverage HTTP Injectors to Steal Internet Access


Threat actors are seeking and exchanging HTTP injectors in order to gain unpaid mobile access to the internet, defrauding service providers and telecommunications companies in the process.

Flashpoint analysts have observed widespread chatter pertaining to the use of HTTP injectors, which modify HTTP headers on network requests with malicious code that tricks captive portals into connecting to the internet. Many of these HTTP injector files are exchanged using Telegram, a popular messaging service, and much of this activity appears to be conducted by actors based in Latin America, particularly in Brazil and to a lesser extent, Colombia.

Flashpoint analysts have identified a method by which some actors are likely using HTTP injectors to gain free mobile Internet access. The process begins via a device with a SIM card with zero remaining balance. Using the device’s mobile browser, they connect to a data-free website to avoid connecting to a captive portal asking the user to pay before accessing the internet. The initial connection to the data-free website begins the session, which can then be exploited using HTTP injectors to request SSH proxies to connect to the internet.

Telegram has become increasingly popular in cybercriminal and fraud-centric communities over the past few years. The platform has grown in popularity in Brazil following the country’s temporary ban of WhatsApp in 2016.

HTTP injectors are widely distributed at no cost by users on a variety of Portuguese and Spanish-language Telegram channels, many of which have tens of thousands of members. Flashpoint analysts observed one Portuguese-language Telegram channel dedicated to the exchange of HTTP injectors with more than 90,000 members. One possible reason cybercriminals share their HTTP injector files so freely is to generate a larger footprint on the compromised infrastructure being utilized as a proxy by the HTTP injectors, thereby masking their own illicit activities.

Cybercriminals offer HTTP injectors targeting a variety of telecommunications companies around the world. On Telegram, however, actors focus on sharing HTTP injectors targeting Latin American telecommunications companies, particularly those that operate in Brazil.


The use of HTTP injectors to gain free mobile internet access may result in a loss of revenue for telecommunications companies worldwide, particularly those that require a SIM card with a balance to access the internet. This underscores the importance of adopting Business Risk Intelligence (BRI) best practices while leveraging insights gleaned from the Deep & Dark Web to keep up with emerging tactics and ensure that use of telecommunications services is limited to paying customers.

Related Posts

About the author: Amina Bashir


Amina Bashir is an intelligence analyst at Flashpoint. Amina has conducted extensive research on IoT security and taught as an adjunct computer science lecturer at Hunter College, from which she holds a Bachelor of Arts in Computer Science. Amina’s research on "SpEED-IoT: Spectrum Aware Energy Efficient Routing for Device-to-Device IoT Communication" was recently published in Elsevier’s Future Generation Computer Systems journal, and she will present her research on collaborative adversarial modeling for spectrum-aware IoT communications at the International Conference on Computing, Networking and Communications (ICNC) 2018. She is fluent in Hindi, Urdu, and Punjabi, and she is also intermediately proficient in Spanish.

About the author: Liv Rowley

Liv Rowley is an Intelligence Analyst at Flashpoint. She speaks fluent Spanish and specializes in analyzing threats emerging from the Spanish-language underground with an emphasis on Latin America. Prior to Flashpoint, Olivia’s passion for Latin America and the Middle East led her to pursue extensive research on the languages, culture, and political climate of these regions. She has studied abroad in Madrid, Spain and holds a bachelor’s degree in International Relations with a concentration in International Security from Tufts University.