Account Balance Manipulation using Code Injectors

This investigation outlines a recent fraud scenario, shared by one of the DetACT clients and investigated by DetACT analysts, where cybercriminals used social engineering, remote access software, and browser manipulation to deceive a banking customer.

The goal was to gain trust by displaying a fake account balance, ultimately facilitating fraudulent transactions and cryptocurrency-related scams. This article is intended to inform fraud investigators about emerging techniques in digital interface manipulation.

How the Fraud Unfolded: A Narrative Account

The victim, a middle-aged individual with limited technical expertise, was contacted by what appeared to be a legitimate helpdesk. The caller claimed there had been suspicious activity on the victim's bank account and offered to assist in securing the system. The tone was urgent but professional enough to gain the victim’s trust.

During the call, the fraudster requested remote access to the victim’s computer using Google Remote Desktop. Once access was granted, the fraudster guided the victim to install a browser extension under the guise of increasing online security. The extension in question was “Code Injector”, available on the Chrome Web Store. Unbeknownst to the victim, this tool allowed the attacker to alter the content displayed in their web browser.

With the extension installed, the attacker injected a script that simulated a fake bank balance on the landing page of the online banking site. The amount shown was far higher than what actually existed in the account. This artificial display served to convince the victim that they had the funds available to participate in what was likely a cryptocurrency investment scam.

Key findings from the Investigation

When the victim later contacted the bank about unrelated suspicious credit card transactions, the fraud team discovered that the balance referenced by the customer did not match any back-end records.
Further investigation revealed:

The fake balance appeared only on the online banking landing page and was not present when navigating to transaction or account details pages.
The balance formatting used American-style thousand separators (commas), which was inconsistent with the European number format and pointed toward manipulation.
The Chrome browser on the victim’s device had the “Code Injector” extension installed, strongly indicating local page manipulation.
The victim confirmed they had received remote assistance during late November or early December, which aligned with the timeline of the manipulated balance screenshot.
All login attempts and transactions had originated from the victim’s own devices.
Large credit card transactions were authenticated using secure methods. Investigators suspect the victim unknowingly approved these via QR codes shown during screen sharing, believing the activity to be legitimate.

Code Injector - functionality investigation

A code injector is a browser extension or tool that allows users to insert custom code—usually JavaScript—into webpages as they load in the browser. This can be used to modify how a site looks or behaves on the user’s screen. While often used by developers for testing or personal customization, it can also be misused to alter website content in deceptive ways, such as displaying fake account balances.

Code injectors themselves are not illegal—they can be legitimate tools used by developers or advanced users to test or customize websites in their own browsers.

However, their use becomes illegal when they are installed without the user’s informed consent or used to manipulate web content for deceptive purposes, such as faking a bank balance or facilitating fraud. In such cases, their deployment may constitute computer misuse, fraud, or a breach of privacy laws.

Although the extension is no longer available in the Chrome webstore (see screenshot), the code is still available for download in the Firefox add-on store, in the Edge store and the full code is on Github: hxxps://github[.]com/Lor-Saba/Code-Injector

DetACT Analysts downloaded the code and extracted the files to find out more about the inner workings. The extracted files include the full source code of the "Code Injector" extension, including key JavaScript files that control how it injects scripts into webpages.
Notably relevant files are:

/script/main/inject.js — the core script responsible for injecting code.
/script/main/background.js — handles background tasks and possibly rules or triggers for injections.]
/script/main/browser-action.js — related to user interactions with the extension.
/manifest.json — defines extension permissions and the webpages it can access. Found in every extension as a mandatory file.

Examining the inject.js files, we notice the following: The inject.js script in the Code Injector extension is responsible for inserting custom JavaScript, CSS, or HTML into webpages viewed in the browser. It enables the extension to modify the content of any site based on predefined rules.

Key Functionality

JavaScript Injection (injectJS)

The script checks if a rule contains a link to an external JavaScript file. If so, it loads the file and ensures the browser doesn't cache it by appending a timestamp. If no link is provided, it directly injects JavaScript code into the webpage by creating a <script> tag and appending it to the page's <head> section. See screenshot below for the code.

CSS Injection (injectCSS)

This works similarly to the JavaScript injection. The extension can either load an external stylesheet or directly inject raw CSS into the page. This is done by creating a <link> or <style> element.

HTML Injection (injectHTML)

Although not fully shown in the preview, the extension can also insert raw HTML into the page’s DOM, allowing it to add or replace visible elements on the site.

Abuse Potential

This capability allows an attacker to visually manipulate webpages as the victim sees them.
For example:

The attacker can alter balance fields on online banking pages to display false amounts.
Elements like security warnings or transaction details can be hidden or changed.
The extension can simulate fake messages, buttons, or confirmations to mislead the victim.
These changes only affect what is displayed in the victim’s browser. The actual data on the bank’s backend remains untouched.

Recommendations

This case shows how fraudsters combine social engineering with simple technical tools, such as remote sessions, extensions and qr-codes to convincingly manipulate victims.

Be alert to cases where customers report suspicious balances or provide screenshots that do not match backend data. If you are in contact, ask follow-up questions regarding the use of remote-desktop sessions and the installation of extensions/add-ons.
Please note that there are a lot of other extensions offering the same functionality in browser stores and Github, for example Kode Injector and Scripty. Educate customers that a browser extension or add-on is never required to solve any bank issues.
Use Client-Side-Detection scripts to detect manipulation by code injectors.

Contact us

Do you want more information about our solutions, products, training and services? Or want to contact one of our employees? Please fill out the form and we will contact you! For further questions regarding personal data we kindly refer you to our Privacy Policy and Privacy Statement.